Introduction
Shift ONE Digital is committed to ensuring the confidentiality, integrity, and availability of its information assets and the information assets of its clients. This Information Security Policy outlines the principles and guidelines for safeguarding information, managing client information and accounts, and promoting a secure and trustworthy environment for all stakeholders.
Scope
This policy applies to all employees, contractors, and third-party service providers who have access to Shift ONE Digital's information assets and client information. It encompasses all information, regardless of the form or medium in which it is stored, transmitted, or processed.
Information Classification
Shift ONE Digital recognizes the importance of classifying information based on its sensitivity and criticality. The following classification levels are defined:
a. Public Information: Information that is freely available to the public and does not require any special protection measures.
b. Internal Information: Information intended for internal use within Shift ONE Digital and its authorized personnel. Access is limited to employees on a need-to-know basis.
c. Confidential Information: Information that is sensitive and requires protection against unauthorized access or disclosure. Access to this information should be strictly controlled and limited to authorized personnel.
d. Client Information: Information provided by clients to Shift ONE Digital for the purpose of providing services. The confidentiality and privacy of client information must be protected at all times.
Responsibilities
4.1 Management Responsibilities
Executive management is responsible for providing leadership and support for information security initiatives.
The management team is accountable for the implementation and enforcement of information security policies, procedures, and controls.
Regular review and assessment of the effectiveness of information security controls shall be conducted by management.
4.2 Employee Responsibilities
All employees must familiarize themselves with this Information Security Policy and comply with its provisions.
Employees are responsible for safeguarding information assets in their possession and reporting any security incidents or vulnerabilities to the appropriate authorities.
Training and awareness programs will be provided to employees to ensure a clear understanding of their responsibilities regarding information security.
Information Security Controls
5.1 Access Control
Access to information assets and client accounts shall be granted based on the principle of least privilege.
User accounts must be created for individual employees and contractors, and access rights should be regularly reviewed and revoked promptly upon termination of employment or contract.
Strong passwords and multi-factor authentication shall be implemented for all systems and accounts.
5.2 Data Protection
Encryption mechanisms shall be employed to protect sensitive information during storage, transmission, and processing.
Regular backups of critical information shall be performed and tested to ensure data recoverability in the event of a system failure or disaster.
Data retention and disposal practices must comply with legal, regulatory, and contractual requirements.
5.3 Incident Management
A formal incident response plan shall be established to address security incidents promptly and minimize their impact.
All security incidents, including breaches or suspected breaches, must be reported, investigated, and documented in accordance with established procedures.
Lessons learned from security incidents shall be used to improve the overall security posture of Shift ONE Digital.
Client Information and Account Management
6.1 Confidentiality and Privacy
Client information shall be treated as strictly confidential and accessed only on a need-to-know basis.
Client information shall not be disclosed to unauthorized parties without the explicit consent of the client or as required by applicable laws or regulations.
Adequate controls and safeguards shall be implemented to protect client information from unauthorized access, loss, or disclosure.
6.2 Account Management
Client accounts shall be managed in accordance with established procedures and access controls.
Account credentials and authentication mechanisms must be kept confidential and not shared with unauthorized individuals.
Regular reviews and audits of client accounts shall be conducted to ensure the integrity and security of the accounts.
Compliance
Shift ONE Digital is committed to complying with all applicable laws, regulations, and contractual obligations related to information security and the management of client information and accounts. Regular audits and assessments will be conducted to ensure compliance with this policy.
Policy Review
This Information Security Policy shall be reviewed on a periodic basis to ensure its ongoing relevance and effectiveness. Any necessary updates or modifications will be made in consultation with relevant stakeholders and approved by executive management.
Policy Acceptance
By accepting employment or engagement with Shift ONE Digital, employees, contractors, and third-party service providers acknowledge their understanding and acceptance of this Information Security Policy and agree to comply with its provisions.