AceshASO | Expert App Security & Optimization Solutions

1. Purpose

This data security policy outlines the practices and responsibilities necessary to ensure the protection of sensitive information. It aims to minimize risks associated with data breaches and unauthorized access, while promoting user awareness and compliance with data security standards.

2. Scope

2.1 In Scope

This policy applies to all systems, networks, and devices used to handle sensitive information, including email, web access, and other work-related tasks. It is applicable to all users interacting with these systems.

2.2 Out of Scope

Publicly available information is not covered under this policy. Exceptions may be made for specific business needs as determined by management.

3. Policy

3.1 Principles

Access to information and resources will be provided based on the principle of least privilege, ensuring that users have the necessary permissions to perform their duties without exposing sensitive data to unnecessary risks.

3.2 General

a. Each user is identified by a unique account to track access and usage.
b. Shared accounts are only permitted where appropriate and do not involve sensitive data.
c. Users must review and agree to this policy. Concerns should be addressed to management.
d. Access records may be used in security investigations.
e. Access is granted based on job responsibilities and the least-privilege principle.
f. Data storage follows strict access control measures as detailed in subsequent sections.

3.3 Access Control Authorization

Access to systems and data is controlled through secure authentication methods. Permissions are granted by authorized personnel only, ensuring that access is limited to those with a legitimate need.

3.4 Network Access

a. Network access is granted based on business needs and the least-privilege principle.
b. All information accessed on the network is considered private unless explicitly stated otherwise.

3.5 User Responsibilities

a. Users must lock their screens when leaving their desks to prevent unauthorized access.
b. Users must secure sensitive or confidential information when not in use.
c. Users must keep their passwords confidential and avoid sharing them.

3.6 Application and Information Access

a. Access to applications and data is granted based on job roles.
b. Sensitive data access is restricted to authorized personnel with a business need.
c. Sensitive systems are isolated to restrict access to authorized users only.

3.7 Access to Confidential, Restricted Information

Access to confidential or restricted data is limited to authorized personnel. The IT department is responsible for implementing necessary access controls.

4. Technical Guidelines

Access control methods include role-based access models, server access rights, web authentication, and database access rights. These controls apply to all relevant systems, including networks, servers, workstations, mobile devices, and cloud services.

5. Incident Reporting Requirements

a. High-priority security incidents must be reported immediately to the IT manager.
b. A monthly report of security incidents and resolutions will be generated by the IT Security department.

6. Ownership and Responsibilities

- Data owners are responsible for the information they manage.
- The Information Security Administrator supports the implementation and oversight of security procedures.
- Users include all individuals with access to information resources.
- The Incident Response Team handles security incidents and includes members from various departments.

7. Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment. Third-party partners or contractors found in violation may have their access terminated.

8. General Data Protection Regulation (GDPR) Provision

Personal data will be collected and used in compliance with GDPR. Individuals have rights to access, rectify, and request deletion of their data, as well as to object to or restrict processing. Data will be retained only as long as necessary for legal and operational purposes.

Additional privacy measures include logging, privacy policy adherence, and third-party policy management. Efforts will be made to protect children’s information and ensure that online privacy practices comply with relevant regulations.

Consent

By using company services or systems, users consent to the terms outlined in this data security policy.