Mit Google Docs veröffentlichtMissbrauch meldenWeitere InformationenISMS 1.2 Information Security PolicyAutomatisch alle 5 Minuten aktualisiert<p>
</p>
<p>
</p>
<p>
</p>
<p>Information Security Policy</p>
<p>ISMS 1.2 Information Security Policy : Issue 1 Rev 22 : Last reviewed 27-02-2023</p>Policy SummaryTexthelp will:<ul>
<li>Comply with both the law and best practice regarding information security and privacy</li>
<li>Respect individuals’ rights</li>
<li>Be open and honest with individuals whose data is held</li>
<li>Provide training and support for staff who handle personal data, so that they can act confidently and consistently</li>
</ul>The Texthelp group of companies .
recognizes that its first priority regarding information security and privacy is to avoid causing harm to individuals.
Predominantly this means keeping information securely, on a need to know basis, in the right hands.This is the top-level policy and, as well as outlining the company’s information security objectives and how to meet them, it also includes a requirement for all security related documents to be reviewed periodically to ensure conformity and applicability.It is the responsibility of all employees to comply with the requirements of this and all policies.Although Texthelp’s ISO 27001 scope of certification, at this time, includes:<ul>
<li>Texthelp Ltd</li>
<li>Texthelp Inc</li>
<li>Texthelp PTY</li>
<li>Lingit A/S</li>
<li>Wizkids A/S</li>
</ul>This information security policy is a description of best practice and is applicable across the Texthelp group of companies.Objectives <p>
</p>
<p>Texthelp will:</p>
<ul>
<li>Deliver a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.</li>
<li>Provide a digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done</li>
<li>Implement a system to identify and assess information security risks and manage a risk treatment plan to mitigate risk to the confidentiality, integrity and availability of the information it holds or processes.</li>
<li>Mitigate the risk of unauthorized or accidental disclosure of confidential information by staff or external parties</li>
<li>Ensure the confidentiality, integrity and availability of the company’s information assets at all times</li>
<li>Minimize the impact of any security incidents</li>
<li>Continually improve the company’s ability to assess, detect, reduce, avoid and ameliorate information security risks and/or incidents</li>
<li>Work to avoid a negative impact to Texthelp’s reputation and brand</li>
<li>Protect the information of all interested parties including the personal information of its customers.
Should the Texthelp company be acquired by another company at some future time, this will include checks that the acquiring company will have data security controls at least as robust as Texthelp’s in place to ensure the future safeguarding of existing customer data.</li>
</ul>
<ul>
<li>Comply with any legal, regulatory or contractual requirements in respect of the data it holds about individuals.
These are listed in the List of Legislative &.
Regulatory Bodies;</li>
<li>Follow best practice</li>
<li>Seek to continually improve the company’s Information Security Management System</li>
</ul>
<p>
</p>GDPR Compliance &.
International Data Transfers <p>Texthelp Billing &.
Contact Data and Customer/User data (name only) is stored in Amazon Web Services (AWS).
The Texthelp Group has entered into Standard Contractual Clauses with AWS to ensure we comply with the GDPR rules on international transfers.
This complies with data protection requirements and GDPR legislation when transferring data belonging to EU/UK citizens outside the EU/UK. </p>
<p>
</p>Key Risks &.
Mitigations<p>
</p>
<p>
</p>
<p>Texthelp has identified potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address.
These risks are logged and monitored in the company's Risk Register.
</p>Responsibilities <p>
</p>Information Security Committee<p>The role and responsibilities of this committee will be to provide: </p>
<ul>
<li>Analysis &.
Design - The committee is also responsible for the analysis and design of the ISMS to ensure a meaningful security policy as well as effective security solutions exist.</li>
<li>Administration - To look after the day to day administration of access rights, passwords, etc.</li>
<li>Monitoring - To continuously monitor the security status of the organization, and manage incident response procedures.</li>
<li>Awareness communication - To ensure awareness communication is conveyed throughout the company to ensure ongoing security awareness and also to provide the necessary training programs.
</li>
<li>Provide executive custody and governance - represented by the information security Committee.</li>
</ul>
<p>
</p>Data Protection Officer<p>The Data Protection Officer is David Hankin who deals with both the day to day management of the Information Security Management System as well as continuous communication of the importance and value of security measures.
with the following responsibilities:</p>
<ul>
<li>Briefing the board on Data Protection responsibilities</li>
<li>Reviewing Data Protection and related policies</li>
<li>Advising other staff on Data Protection issues</li>
<li>Ensuring that Data Protection induction and training takes place</li>
<li>Notification</li>
<li>Handling data subject access requests (requests for access may be made by emailing datasecurity@texthelp.com)</li>
<li>Approving unusual or controversial disclosures of personal data</li>
<li>Approving contracts with Data Processors </li>
</ul>
<p>
</p>Specific other staff<p>IT &.
Network Administrator:</p>
<ul>
<li>Maintaining a secure network</li>
<li>Maintaining access control lists to core services</li>
<li>Implement and run the Business Continuity Plan and Disaster Recovery Plan</li>
<li>Provide computing resources to deliver the Information Security Policy</li>
</ul>
<p>
</p>
<p>Chief Technical Officer:</p>
<ul>
<li>Responsible for the security of the products and services manufactured by Texthelp and of the personal information processed and stored by them</li>
<li>Manage and control access to sensitive information such as product source code and other intellectual property related to the products and services manufactured by Texthelp.</li>
<li>Managing periodic penetration testing of products and services by third-party agencies.</li>
</ul>
<p>Chief Data Officer:</p>
<ul>
<li>Manage and control access to Customer Data in the company CRM System</li>
<li>Ensure that the customer data is stored in compliance with the information security Standards</li>
</ul>
<p>
</p>StaffAll staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
<p>
</p>Enforcement<p>Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.</p>
<p>
</p>ConfidentialityBecause confidentiality applies to a much wider range of information than Data Protection, Texthelp has a separate Data Privacy Policy.
ScopeThis Policy applies to all employees and third-party agents of Texthelp as well as any other Company affiliate who is authorized to access customer Data. Third party agents of Texthelp will be required to have an Information Security Policy at least as stringent as this policy.<p>Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party.
This will apply to both virtual and physical information assets.</p>
<p>Texthelp will comply with requests under the General Data Protection Regulation (GDPR, EU), Data Protection Act (2018)(UK), Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia), Danish Data Protection Act, Norwegian Personal Data Act and other agencies where obliged to do so if requested.</p>
<p>The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative &.
Regulatory bodies</p>
<p>
</p>
<p>
</p>What we do with customer data<p>Texthelp has a privacy policy for Users, setting out how their information will be used.</p>Texthelp Group Staff Responsibilities<p>All Texthelp group staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.
(See Appendix A)</p>
<p>
</p>
<p>
</p>Information Security Standards<p>All information that is stored by the Texthelp group companies is classified as one of the following data types:</p>
<p>
</p>
<ul>
<li>Public Information</li>
<li>Company Intellectual Property</li>
<li>Customer/Personal Information</li>
<li>(other) Confidential Information</li>
</ul>
<p>
</p>
<p>All data that is classified as ‘Customer Information’ or ‘Company IP’</p>
<p> must be stored in compliance with the following standards.</p>
<p>
</p>
<ul>
<li>Encrypted at Rest</li>
<li>Encrypted in Transit using SSL Encryption</li>
<li>All Access to the information is Logged</li>
<li>Access protected by two factor authentication</li>
<li>All data must be stored in an ISO 27001 or equally secure facility</li>
<li>All data must be backed up regularly and securely</li>
<li>Information assets should be recorded in the company’s Asset Register</li>
<li>Any relevant information security contracts that have been entered into between Texthelp and a Customer must be recorded in the Information Security Management System</li>
</ul>
<p>
</p>
<p>Physical Media Transfer : no customer or private data will be transported using physical media</p>
<p>
</p>
<p>In order to comply with relevant legislation: </p>
<ul>
<li>If Texthelp is storing information relating to or created by a student (Student Data), that data should be deleted if a request to do so is made by a parent of the student.
If appropriate Texthelp will ask the Parent, School or District to verify that the request is valid.
</li>
<li>Texthelp has a policy not to retain Student Data once 180 days after a subscription has lapsed. .
In the case of the Fluency Tutor product any data that is stored is only stored to deliver the functionality of the product for the district and is strictly for Education Purposes.
Upon request Texthelp will delete any Student Data immediately.</li>
<li>Texthelp will store customer, student, supplier and job applicant data for a minimum of 6 years.
Any student data that is stored is only stored to deliver the functionality of the product.
Upon request Texthelp will delete any customer, student or job applicant data thereby complying with the GDPR’s, and any local or national, Right to Erasure requirements in the territories in which the company operates.</li>
</ul>
<p>
</p>
<p>Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster.
This plan should cover situations such as:</p>
<p>
</p>
<ul>
<li>Fire</li>
<li>Flash flood</li>
<li>Pandemic</li>
<li>Power Outage</li>
<li>Theft</li>
</ul>
<p>
</p>Information Security Management System<p>A system must be maintained to manage and control the security of all data stored by Texthelp.</p>
<p>
</p>
<p>The system must:</p>
<ul>
<li>List all information assets including:</li>
</ul>
<ul>
<li>Their Physical Location</li>
<li>Their Data Classification based on the:</li>
</ul>
<ul>
<li>Value</li>
<li>Criticality</li>
<li>Sensitivity</li>
</ul>
<ul>
<li>The method of encryption for storage at rest</li>
<li>The method of encryption for data in transit</li>
<li>Whether the information asset contains user data</li>
<li>Who can access the data</li>
</ul>
<ul>
<li>List all data contracts including:</li>
</ul>
<ul>
<li>What products the customer is using</li>
<li>What information asset their data is stored in</li>
<li>Who to notify in the event of a security breach</li>
</ul>
<ul>
<li>Manage Security Incidents including:</li>
</ul>
<ul>
<li>Provide a means of notifying all relevant customers and staff.
Where a data breach occurs that may affect them Customers and interested parties will be notified within a 48 hour period.</li>
<li>Record all security incidents</li>
<li>Resolve the security incident and record steps taken to prevent recurrence</li>
</ul>
<ul>
<li>Where relevant, record access to information assets by staff members including</li>
</ul>
<ul>
<li>Which staff member</li>
<li>Which data</li>
<li>What date and time</li>
</ul>Staff training &.
acceptance of responsibilitiesDocumentation<p>Information for all staff and temporary workers is contained in the staff handbook.</p>Induction<p>All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.</p>
<p>
</p>
<p>Data Protection will be included in foundation training for all staff.</p>Continuing training<p>Texthelp will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.</p>
<p>
</p>Procedure for staff signifying acceptance of policy<p>All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.</p>Specific Focus Training for Key Handling RolesSoftware Developers<p>Software Developers at Texthelp will be trained to ensure that the architecture of any system that stores personal data is in compliance with the information security Standards above.</p>
<p>Prior to release the software will be tested to ensure that it is in compliance.
</p>
<p>
</p>
<p>All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed, a risk treatment plan is created and followed.</p>
<p> </p>Marketing Staff<p>Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing. </p>
<p>
</p>
<p>
</p>Policy reviewResponsibility<p>Ryan Graham (CTO) will be responsible for reviewing this policy.
This Information Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Information Security Policy at all times.</p>Procedure<p>An annual review of the policy will be performed to ensure continuing relevance.
The results of this review will be available on request.</p>Timing<p>An audit of this policy will be carried out once per year.
However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 27001 internal audits.
The ISO 27001:2013 audits are performed at least annually.</p>information security Incidents<p>All information security incidents will be logged in the Downtime/Security Events Register in Sugar.
information security incidents will be classified according to severity.
Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents.
Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.
</p>
<p>
</p>
<p>Incidents that do involve data loss will be classified as Level 2 - Critical Incidents &.
should trigger a notification to all customers that are impacted by the data loss.
Where required, the relevant local data protection authority will also be contacted.
</p>Appendix A: Confidentiality statement for staff<p>
</p>
<p>When working for Texthelp , you will often need to have access to confidential information which may include, for example:</p>
<p>
</p>
<p>Personal information about individuals who are customers or users of Texthelp software.</p>
<p>Information about the internal business of Texthelp.</p>
<p>Personal information about colleagues working for Texthelp.</p>
<p>
</p>
<p>Texthelp is committed to keeping this information confidential, in order to protect people and Texthelp.
‘Confidential’ means that all access to information must be on a need to know and properly authorized basis.
You must use only the information you have been authorized to use, and for purposes that have been authorized.
You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.</p>
<p>
</p>
<p>You must assume that information is confidential unless you know that it is intended by Texthelp to be made public.
Passing information between staff members in our international office, or between Texthelp and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.</p>
<p>
</p>
<p>You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security.
In particular you must:</p>
<p>not compromise or seek to evade security measures (including computer passwords);</p>
<p>be particularly careful when sending information between our international offices;</p>
<p>not discuss confidential information, either with colleagues or people outside Texthelp;</p>
<p>not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.</p>
<p>
</p>
<p>If you are in doubt about whether to disclose information or not, do not guess.
Withhold the information while you check with an appropriate person whether the disclosure is appropriate.</p>
<p>
</p>
<p>Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .</p>
<p>
</p>
<p>
</p>
<p>
</p>
<p>
</p>
<p>Signed: Martin McKay (CEO)</p>
<p>
</p>
<p>
</p>
<p>
</p>
<p>
</p>
<p>
</p>
<p>Signed:  .
 .
Ryan Graham (CTO)</p>
<p>Public Information</p>
<p>
</p>
<p>
</p>