Information Security Policy
Purpose
In general, Equal Experts (EE) supports a transparent approach to sharing knowledge; we want to keep things open and simple wherever possible. However, not all data can be shared openly. This Infosec policy ensures that sensitive or confidential data, including Personal Data, is sufficiently protected.
This policy applies to Equal Experts suppliers, including sub-contractors (associates, in EE parlance). It’s essential you read and follow it; failure to comply may lead to legal action and could be regarded as a breach of contract. And no-one wants that. This policy applies to all consultants, volunteers, agency workers, associates and suppliers across all of our Business Units, including Britain, Germany, Portugal, India and Australia. It does not include USA or South Africa where different rules apply.
Scope
All Personal Data or sensitive business information must be treated as confidential, with access only granted on a ‘need to know’ basis. Whilst this usually concerns digital files, it also covers paper documents, images; any and all sources of information are covered. “Confidential Information” referred to in this policy includes all information classified as “Restricted” and “Company”.
Access to such data must be adequately controlled in accordance to its sensitivity (see Access Controls below). Equal Experts classifies information assets, and some of our clients do too; data must be classified in line with their requirements in accordance with their policies.
Governance and compliance
Responsibility for all Infosec matters falls to Equal Experts’ Information Security Officer, an additional role held by our Chief Operating Officer (COO).
When you’re working in a client environment, you’ll also need to follow their Infosec policy; your Engagement Manager or Delivery Lead can provide it. You should inform them if you think there are any contradictions.
Information Classification
In accordance with our ISO27001 policy, we classify our information as follows:
- Open: The information is unclassified and not particularly valuable, nor is the organisation required to protect it. Anyone can access it for any purpose, including release to the public or clients. It may include press releases and job vacancies.
- Company: The information has value internally, and may have some value to competitors. It may be distributed freely to anyone within the organisation. It may include internal memos, employment data, and contract information.
- Restricted: The information has significant value, and there may be legal requirements for its protection. Access is limited to designated roles or groups within the organisation. It may include intellectual property, customer payment details, financial information and long-term strategic plans.
Information without classification is public.
Hardware
Device policy
Any device (laptop, phone, tablet) that you use to perform Equal Experts business must be properly set up to keep sensitive information safe. Access to Equal Experts and client IT systems is granted on the condition that all devices are appropriately configured, as follows:
- Security updates: All available firmware and security patches must be applied promptly (within 14 days for patches addressing critical/high-risk issues, to comply with our Cyber Essentials credentials). Where necessary for development and testing, running older software versions within virtual environments or on devices dedicated to this purpose is acceptable.
- Device locks: These must be turned on (and set to automatically lock after a period of inactivity). The password must be set in line with best practice for the device in question (see section 5.3 on credentials).
- Biometric authentication: Any form of biometric unlocking for a device, like fingerprinting or Apple’s FaceID, is acceptable.
- Malware protection: Must be installed and enabled on laptops/desktops. Microsoft Security Essentials (Windows) or Gatekeeper (macOS) are both sufficient.
- Encryption: Must be turned on for all hard drives. Sensitive data mustn’t be stored on unencrypted removable memory cards.
- Firewall: If your device offers a firewall, it must be turned on and set to block incoming network connections.
- Remote wipe: If your device offers this functionality (eg. Apple’s ‘Find My iPhone’) it must be turned on.
Client-owned devices
Devices provided by a client can be used to access Equal Experts information such as email accounts, shared folders and Slack accounts in the normal course of business. Credentials must be stored securely, preferably using a password manager (see Credentials below).
Similarly, ensure that sensitive and/or confidential client data is not saved on a third-party device, unless provided by a client authorised to access that data.
Removable media
Removable media should not be used routinely for information transfer. It must only be used if alternative means, such as email or sharing via an online repository, are unavailable. Removable media may be used for backup.
When Sensitive or Confidential information is stored on removable media, it must be encrypted. This may be done either by using a device which has built-in encryption and requires a passcode to access it or by placing the information in an encrypted container such as a password-protected ZIP file.
Software
If you are using a device provided by EE, you’re welcome to use personal software and data on it. Be aware that it is subject to inspection (and potentially) deletion at the Information Security Officer’s discretion. All personal software must be legally obtained and also appropriately licensed for commercial use (if you intend to use it to perform EE business).
Messages sent to and from Equal Experts email addresses may be monitored. Don’t use email forwarding to send internal emails to external email addresses, or any other storage not managed by Equal Experts.
Once you’ve left the organisation, your emails may be forwarded to another internal address or deleted; it’s your responsibility to ensure any personal emails are stopped.
Internet usage
Equal Experts provides Internet access for business purposes in its offices; usage may be logged and/or monitored. Any personal Internet use must not be excessive nor disrupt or restrict usage by others.
For the avoidance of doubt, the following examples are deemed to be unacceptable use:
- Visiting sites that contain obscene, hateful, pornographic or otherwise illegal material;
- To perpetrate any form of fraud or software, film, or music piracy;
- To send offensive or harassing material;
- Downloading commercial software or any third-party copyrighted materials (unless covered or permitted under a commercial agreement or other such licence);
- Attempting to gain unauthorised access to protected websites or resources;
- Undertaking deliberate activities that waste staff effort or networked resources;
- Introducing any form of malicious software into Equal Experts’ network.
Social media
We value open communication with the wider software community but however social you may be, ensure you don’t use social media, wikis, blogs or any other social media-related sharing sites to share privileged information.
We reserve the right to monitor, intercept and review, without further notice, staff activities using our IT resources and communications systems, including but not limited to social media postings and activities, for legitimate business purposes, which include ascertaining and demonstrating that expected standards are being met by those using the systems and for the detection and investigation of unauthorised use of the systems (including where this is necessary to prevent or detect crime).
You may be required to remove any social media content that we consider to constitute a breach of this policy. Failure to comply with such a request may in itself result in disciplinary action.
Internal collaboration tools
Client-confidential information should be accessible only to those who need it (usually within the project team). Confidential information must only be visible to the Equal Experts community on internal tools such as Slack or Trello. Only private groups should be used for Personal Data; all participants must be authorised to see and use the data.
An exception is for discussion groups, video conferencing and Slack channels that are expressly intended to include everyone within the EE community. If you set these up, ensure all participants know the content is open to a wider group and share data accordingly. Don’t share information on these channels if you wouldn’t share it in the office.
Access controls
Access controls exist to protect our information and provide a suitable level of security on it’s use.
Physical access
Physical access to client premises is controlled by their security policy that must be fully complied with.
Remote access
When accessing Equal Experts and client information remotely, make sure that no one is able to eavesdrop on sensitive information.
This applies to physical and electronic snooping alike. For example, make sure your screen’s not overlooked in public spaces; don’t access sensitive information over public networks without an effective security measure in place (e.g. encrypted virtual desktop, HTTPS websites).
Credentials
You must follow the guidance on creating and managing credentials from the National Cyber Security Centre (NCSC). You are solely and wholly responsible for how you manage your passwords.
You must use Two-Factor Authentication (2FA) on all accounts where it is available.
You should use a password management service such as 1Password to provide a unique, random password for each system you access.
If you know or suspect one of your credentials is compromised, you must report it (see Section 8. Incident Reporting) and change it immediately. Credentials for client systems will need to be reported differently; please tell your Delivery Lead or Engagement Manager.
Periodic review of access rights
IT systems administered by Equal Experts and which contain Equal Experts’ or clients’ proprietary information are periodically reviewed to ensure that all access rights which have been granted are still appropriate.
Incident reporting
This policy sets out how to avoid a security incident, but life being as it is, an incident may still occur. If it does, you must immediately follow the Incident Reporting Policy (this is an internal document, please refer to your Engagement Manager for details). A security incident is defined as:
“Any actual, suspected, or potential occurrence which could result or could have resulted in unauthorised or unlawful access to, or tampering with, sensitive data belonging to, or in the care of, Equal Experts. This includes any unusual or unexplained activity in online services and any installation of malicious software on devices, whether deliberate or accidental.”
Reportable security incidents also include any compromise of systems being managed by Equal Experts teams as part of a client project, whether such compromise is detected by us, the client, or by the service provider.
If the security incident relates to any client data or systems (whether we maintain them or not), then the relevant Engagement Manager or Delivery Lead must also be informed so they can report the incident to the client as well as following our internal EE Incident Management Reporting Policy.
Information transfer, backup & retention
Information transfers
If you’re transferring sensitive information to another person (or organisation), ensure they are authorised to access that information (by means of a signed Non-Disclosure Agreement where applicable).
They must accept responsibility to protect the security of the information in line with this policy. Given the nature of the information being shared, you’ll need to use one of the following methods to transfer it:
- Email – recipients must be authorised to access the information, and the security classification of the information must be clearly stated (eg. Sensitive/Confidential).
- Online storage – Google Drive can be used for transient storage managed by Equal Experts. This should only be used to transfer client information and then sources deleted.
- Documents must be put in an encrypted container before transferring. Be sure to share the de-encryption password separately and securely (text or email).
Data retention
Only retain information for as long as is needed for business purposes. Personal Data must not be retained for any longer than is necessary for the purposes declared when the information was collected from the data subject.
When the retention period for information has passed, both the primary copy and all backup copies of that information should be erased.
Last Reviewed February 2024
For further information, feel free to contact our security team on security@equalexperts.com