GrowByData Security Policy

Introduction
GrowByData LLC (“Company” or “We”) has defined its Security Policy in compliance with ISO/IEC 27001 standard. As a modern, forward-looking business, GrowByData LLC recognizes at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders, and other stakeholders.

In order to provide such a level of continuous operation, GrowByData LLC has implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001. This standard defines the requirements for an ISMS based on internationally recognized best practices.

The operation of the ISMS has many benefits for the business, including

  • Protection of revenue streams and company profitability
  • Ensuring the supply of goods and services to customers
  • Maintenance and enhancement of shareholder value
  • Compliance with legal and regulatory requirements

GrowByData LLC maintains full certification to ISO/IEC 27001 by effective adoption of information security best practices validated by an independent third party, a Registered Certification Body (RCB).

Information Security Requirements
A clear definition of the requirements for information security within GrowByData LLC is agreed upon and maintained with the internal business so that all ISMS activity is focussed on the fulfilment of those requirements.

Statutory, regulatory, and contractual requirements is also documented. Specific requirements with regard to the security of new or changed systems or services is captured as part of the design stage of each project.

It is a fundamental principle of GrowByData LLC Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

Framework for Setting Objectives
A regular cycle is used for the setting of objectives for information security to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives is based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

Continual Improvement of the ISMS
GrowByData LLC policy with regard to continual improvement is to:

  • Continually improve the effectiveness of the ISMS
  • Maintain ISO/IEC 27001 certification on an on-going basis
  • Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
  • Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
  • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
  • Obtain ideas for improvement via regular meetings and other forms of communication with interested parties, including cloud service customers.
  • Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits.

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.

GrowByData LLC acceptable use policy
GrowByData LLC has set the purpose of this policy to outline and ensure that internet resources are used appropriately when conducting business on behalf of the employer. Within this policy, “internet resources” include, but are not limited to: Web access, FTP (file transfer protocol) servers, the intranet, and the employer domain names and IP addresses. This policy applies to all GrowByData LLC employees, and exemptions are made only upon the approval of the Information Security manager

Guidelines to Business Use of the Internet Service
Computer equipment and Internet access are the property of the GrowByData LLC and must be used in accordance with company policies.

  • Illegal, Pornographic, Violence, Hate and discrimination, Gambling, Games sites, and file sharing of any kind are strictly forbidden. Usage must relate to the employee’s function within GrowByData LLC. Misuse of the internet will result in disciplinary actions up to and including immediate dismissal.
  • If an employee forgets, or believes that their password has become compromised, the employee must inform management immediately. Management shall confirm the user name, reset the password, and inform the employee of changes made, and the procedures for changing their password.
  • When employment is terminated, the Head of HR will notify the department in charge to ensure the removal of the former employee’s access to email and internet resources. This is an important measure in protecting the safety and integrity of the employer’s resources.

Employees may use the internet only to complete their job duties, under the purview of their business objectives. Permissible, acceptable, and appropriate internet-related work activities include:

  • Researching, accumulating, and disseminating any information related to the accomplishment of the user’s assigned responsibilities.
  • Conducting professional development activities (e.g. newsgroups, chat sessions, discussion groups, posting to bulletin boards, webinars, etc.) as they relate to meeting the user’s job requirements. In instances where the personal opinions of the user are expressed, a disclaimer must be included asserting that such opinions are not necessarily those of the employer.

Internet use shall comply with all government laws, and will not violate other policies. Inappropriate and unacceptable Internet use includes but is not limited to

    • Usage for illegal purposes, such as theft, fraud, slander, libel, defamation of character, harassment (sexual and non-sexual), stalking, identity theft, online gambling, spreading viruses, spamming, impersonation, intimidation, and plagiarism/copyright infringement.
    • Any usage that conflicts with existing policies and/or any usage that conflicts with the employer’s mission, goals, and reputation.
    • Downloading unreasonably large files or streaming videos that may hinder network performance.
    • Accessing, downloading, or printing any content that exceeds the bounds of good taste and moral values (i.e. pornography).
    • Engaging in any other activity which would in any way bring discredit, disrepute, or litigation upon the employer.
    • Engaging in personal online commercial activities, including offering services or products for sale or soliciting services or products from online providers.
    • Engaging in any activity that could compromise the security of host servers or computers. All passwords shall not be disclosed to or shared with, other users.
    • Engaging in any fundraising activity, endorsing any products or services, or participating in any political activity, unless authorised to do so as part of completing one’s assigned job duties and responsibilities.
    • Allowing unauthorised or third parties to access the employer’s network and resources.

This policy allows room for the limited and reasonable personal use of the internet. This privilege may be revoked at any time when it has been identified that this benefit has been abused.
Personal use shall not:

  • Have a negative impact on user productivity or efficiency.
  • Interfere with normal business operations
  • Cause expense or network slowdowns.
  • Compromise the integrity and security of the employer’s resources or assets.
  • Conflict with any existing policies.

Employees must comply with the following security guidelines, rules, and regulations:

  • Personal files or data downloaded from the internet may not be stored on hard drives or network file servers.
  • Video and sound files must not be downloaded from the internet unless their use has been authorised for the purposes of conducting the employer’s business.
  • Users must refrain from any online practices or procedures that would expose the network or resources to virus attacks, spyware, adware, malware, or hackers.

Access Management
GrowByData LLC has a requirement to protect its information assets in order to safeguard its customers, intellectual property and reputation. The control of access to our information assets is a fundamental part of a defence in depth strategy to information security. If we are to effectively protect the confidentiality, integrity and availability of classified data then we must ensure that a comprehensive mix of physical and logical controls are in place. :

  • A formal request for access to the organization’s network and computer systems must first be submitted to System Admin. All requests will be processed according to a formal procedure to ensures that appropriate security checks are carried out and correct authorization is obtained prior to user account creation.
  • Each user account will have a unique user name that is not shared with any other user and is associated with a specific individual i.e. not a role or job title.
  • An initial strong password must be created on account setup and communicated to the user via secure means.
  • When an employee leaves the organization, their access to computer systems and data must be suspended at the close of business on the employee’s last working day.
  • Each user will be allocated access rights and permissions to computer systems and data that are commensurate with the tasks they are expected to perform.
  • Where an adjustment of access rights or permissions is required e.g. due to an individual changing role, will be carried out as part of the role change.
  • Privileged access rights such as those associated with administrator-level accounts will be identified for each system or network and tightly controlled.
  • Multi-factor authentication will be used in cloud services and email. Password must be of minimum 8 character with at least one uppercase, one lower case, one symbol and one number. Password will be changed at least every 90 days.
  • Password Manager will be used to securely store password.

Data Leakage Prevention

  • Organize data according to industry standards (PII, commercial data, and product information) to assign different levels of risk.
  • Scrutinize diligently data outlets that are highly used and liable to leakage (i.e. emails, inward and outward file transfers, USB gadgets).
  • Be proactive in protecting data from being exposed. Put strong file restrictions in place and set up suitable authorization methods.
  • Restrict the user’s capacity to copy and paste data (where applicable) only to and from certain platforms and systems.
  • Before any large-scale exports occur, require authorization from the data holder.
  • Think about regulating or stopping users from capturing screenshots or taking pictures of monitors that show safeguarded data types.
  • Encrypt any backups that have sensitive data. Ensure that all confidential info is safeguarded.
  • Construct gateway security and leakage prevention measures to protect against external influences, including (but not restricted to) industrial espionage, sabotage, commercial interference and IP theft.

Incident Response
GrowByData LLC is committed to take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure:

  • Incident management of the GrowByData will be handle by the Information Security manager. Monitoring the incidents will be done by appointed Security Engineer. All Major Incidents will be communicated for internal and external parties.
  • GrowByData uses cloud-based services to monitor the Security Events in the GrowByData Infrastructure. Once the incident has been detected, an initial impact assessment will be carried out in order to decide the appropriate response.
  • As a result of this initial analysis, any member of the management team can contact the Incident Response Team Leader at any time to ask him/her to assess whether the Incident Response Procedure should be activated.
  • Once notified of an incident the Team Leader will decide whether the scale and actual or potential impact of the incident justifies the activation of the Incident Response Procedure and the convening of the Incident Response Team (IRT).
  • Once the decision has been made to activate the incident response procedure, the Team Leader (or deputy) will ensure that all role holders (or their deputies if main role holders are un-contactable) are contacted, made aware of the nature of the incident and asked to assemble at an appropriate location.
  • Incident Response Team main objective will be to restore normal service operation as quickly as possible and minimize the adverse impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained.
  • Post incident activity will be conducted to ensure that correct actions are taken to prevent same incident again.