Information Security Policy

In general, Equal Experts (EE) supports a transparent approach to sharing knowledge; we want to keep things open and simple wherever possible. However, not all data can be shared openly. This Infosec policy exists to ensure that sensitive or confidential data, including Personal Data, is sufficiently protected.

This policy applies to Equal Experts suppliers, including sub-contractors (associates, in EE parlance). It’s essential you read and follow it; failure to comply may lead to legal action and could be regarded as a breach of contract. And no-one wants that. This policy applies to all Associates and Suppliers across all of our Business Units, including Britain, Germany, Portugal, India and Australia. It does not include USA or South Africa where different rules apply.

What is covered by this policy?
All Personal Data or sensitive business information must be treated as confidential, with access only granted on a ‘need to know’ basis. Whilst this usually concerns digital files, it also covers paper documents, images; any and all sources of information are covered.

Access to such data must be adequately controlled in accordance to its sensitivity (see Access Controls below). Equal Experts doesn’t classify information assets (except to ensure that sensitive data is kept confidential), but some of our clients do; data must be classified in line with their requirements.

Governance and compliance
Responsibility for all Infosec matters falls to Equal Experts’ Information Security Officer, an additional role held by our Chief Operating Officer (COO).

When you’re working in a client environment, you’ll also need to follow their Infosec policy; your Engagement Manager or Delivery Lead can provide it. You should inform them if you think there are any contradictions.

Hardware

1.1. Device policy
Any device (laptop, phone, tablet) that you use to perform Equal Experts business must be properly set up to keep sensitive information safe. Access to Equal Experts and client IT systems is granted on the condition that all devices are appropriately configured, as follows:

  • Security updates: All available firmware and security patches must be applied promptly (within 14 days for patches addressing critical/high-risk issues, to comply with our Cyber Essentials credentials). Where necessary for development and testing, it’s acceptable to run older software versions within virtual environments or on devices dedicated to this purpose.
  • Device locks: These must be turned on (and set to automatically lock after any period of inactivity). The password must be set in line with best practice for the device in question (see section 5.3 on credentials).
  • Biometric authentication: Any form of biometric unlocking for a device, like fingerprinting or Apple’s FaceID, is acceptable.
  • Malware protection: Must be installed and enabled on laptops/desktops. Microsoft Security Essentials (Windows) or Gatekeeper (macOS) are both sufficient.
  • Encryption: Must be turned on for all hard drives. Sensitive data mustn’t be stored on unencrypted removable memory cards.
  • Firewall: If your device offers a firewall, it must be turned on and set to block incoming network connections.
  • Remote wipe: If your device offers this functionality (eg. Apple’s ‘Find My iPhone’) it must be turned on.

1.2. Client-owned devices
Devices provided by a client can be used to access Equal Experts information such as email accounts, shared folders and Slack accounts in the normal course of business. Credentials must be stored securely, preferably using a password manager (see Credentials below).

Similarly, ensure that sensitive and/or confidential client data is not saved on a third-party device, unless provided by a client authorised to access that data.

1.3. Removable media
Removable media should not be used routinely for information transfer.  It must only be used if alternative means, such as email or sharing via an online repository, are not available.  Removable media may be used for backup.

When Sensitive or Confidential information is stored on removable media, it must be encrypted.  This may be done either by using a device which has built-in encryption and requires a passcode in order to access it, or by placing the information in an encrypted container such as a password-protected ZIP file.

2. Software

If you are using a device provided by EE, you’re welcome to use personal software and data on it. Be aware that it is subject to inspection (and potentially) deletion, at the Information Security Officer’s discretion. All personal software must be legally obtained, and also appropriately licensed for commercial use (if you intend to use it to perform EE business).

2.1. Email
Messages sent to and from Equal Experts email addresses may be monitored. Don’t use email forwarding to send internal emails to external email addresses, or any other storage not managed by Equal Experts.

Once you’ve left the organisation, your emails may be forwarded to another internal address, or deleted; it’s your responsibility to ensure any personal emails are stopped.

2.2. Internet usage
Equal Experts provides Internet access for business purposes in offices that it manages; usage may be logged and/or monitored. Any personal Internet use must not be excessive, nor disrupt or restrict usage by others.

For the avoidance of doubt, the following examples are deemed to be unacceptable use:

  • Visiting sites that contain obscene, hateful, pornographic or otherwise illegal material;
  • To perpetrate any form of fraud, or software, film, or music piracy;
  • To send offensive or harassing material;
  • Downloading commercial software or any third-party copyrighted materials (unless covered or permitted under a commercial agreement or other such licence);
  • Attempting to gain unauthorised access to protected websites or resources;
  • Undertaking deliberate activities that waste staff effort or networked resources;
  • Introducing any form of malicious software into Equal Experts’ network.

2.3. Social media
We value open communication with the wider software community but however social you may be, ensure you don’t use social media, wikis or blogs to share privileged information.

2.4. Internal collaboration tools
Client-confidential information should be accessible only to those people that need it (usually within the project team). Confidential information must only be visible to the Equal Experts community on internal tools such as Slack or Trello. Only private groups should be used for Personal Data; all participants must be authorised to see and use the data.

An exception is for discussion groups, video conferencing and Slack channels that are expressly intended to include everyone within the EE community. If you set these up, ensure all participants are aware the content is open to a wider group and share data accordingly. Don’t share information on these channels if you wouldn’t share it in the office.

3. Personal data

Our use of personal data is controlled by the UK Data Protection Act 2018, which brought regulations into line with the EU’s General Data Protection Regulation (GDPR).

3.1 Equal Experts’ registration
Equal Experts UK Ltd is registered with the Information Commissioner’s Office (ICO) under registration reference Z3417134. We may collect and process the following categories of Personal Data:

  • Personal and family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Education and employment details

The following categories of sensitive Personal Data are included within this:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Genetics
  • Health

Equal Experts may also process personal data of individuals in the following categories:

  • Staff (including both employees and associates)
  • Clients
  • Suppliers
  • Complainants and enquirers

These permissible categories only relate to Personal data we may store at Equal Experts, rather than the permissible categories processed by a client project – in these cases, the client is the Data Controller under the Data Protection Act. Consequently, it’s their ICO registration that defines the permissible categories.

Personal Data relating to a client’s projects must not be kept outside the client’s own systems (ie. no back-ups on your own devices, nor Equal Experts systems).

3.2. Fair and lawful processing of Personal Data
When we ask individuals to provide personal information, Equal Experts is the data controller. At the point where personal data is collected, we will clearly state the purpose for which it is being collected. We don’t use personal data for any purposes other than those set out, where there is a lawful basis for processing; or where an individual’s consent has been obtained.

Additionally, we only process personal data:

  • Where it is necessary for compliance with the law, the performance of a contract, or with a view to establishing a contract;
  • Where it is in our legitimate interests to do so.

In the case of sensitive personal data, we’ll request the explicit consent of the individual before processing their personal data, with the following exceptions:

  • When the information relates to racial/ethnic origin, religion or disability that is being collected purely for monitoring equality of opportunity or treatment;
  • It relates to the employment of EE staff;
  • It’s necessary for the provision of advice or support and the individual cannot reasonably be expected to give explicit consent.

Equal Experts does not disclose personal data to third parties, with the following exceptions:

  • Where we’re required to by law;
  • Where there’s an information-sharing agreement in place to ensure that any processing by the third party will be within the law;
  • When it’s necessary in order to fulfil a legitimate purpose that has been advised to the data subject.

3.3. Removing sensitive data
At the end of your engagement for a project (or on request) all related sensitive/confidential data must be removed from your devices, using secure erase functions wherever possible. Any backups must also be deleted. Similarly, physical documents containing this information should be left in the care of your Engagement Manager.

You’ll be asked to confirm you’ve taken these steps as a standard part of the moving on process after a project.

4. Access controls

Information Security demands that you consider access; who should have it, and how it is controlled.

4.1. Physical access
Physical access to client premises is controlled by their security policy that must be fully complied with.

4.2. Remote access
When accessing Equal Experts and client information remotely, make sure that no-one is able to eavesdrop on sensitive information.

This applies to physical and electronic snooping alike. For example, make sure your screen’s not overlooked in public spaces; don’t access sensitive information over public networks without an effective security measure in place (eg. encrypted virtual desktop, HTTPS websites).

4.3. Credentials
You must follow the guidance on creating and managing credentials from the National Cyber Security Centre (NCSC). You are solely and wholly responsible for how you manage your passwords.

You must use Two-Factor Authentication (2FA) on all accounts where it is available.

We strongly recommend the use of a password management service such as 1Password, Dashlane or LastPass to provide a unique, random password for each system you access.

If you know or suspect one of your credentials is compromised, you must report it (see Section 6. Incident Reporting) and change it immediately. Credentials for client systems will need to be reported differently, please tell your Delivery Lead or Engagement Manager.

4.4. Periodic review of access rights
IT systems administered by Equal Experts and which contain Equal Experts’ or clients’ proprietary information are periodically reviewed to ensure that all access rights which have been granted are still appropriate.

5. Incident reporting

This policy sets out how to avoid a security incident, but life being as it is, an incident may still occur. If it does, you must immediately follow the Incident Reporting Policy (this is an internal document, please refer to your Engagement Manager for details). A security incident is defined as:

Any actual, suspected, or potential occurrence which could result or could have resulted in unauthorised or unlawful access to, or tampering with, sensitive data belonging to, or in the care of, Equal Experts. This includes any unusual or unexplained activity in online services and any installation of malicious software on devices, whether deliberate or accidental.

Reportable security incidents also include any compromise of systems being managed by Equal Experts teams as part of a client project, whether such compromise is detected by us, the client, or by the service provider.

If the security incident relates to any client data or systems (whether we maintain them or not), then the relevant Engagement Manager or Delivery Lead must also be informed so they can report the incident to the client as well as following the internal EE Incident Reporting Policy.

 

6. Information transfer, backup & retention

6.1. Information transfer
If you’re transferring sensitive information to another person (or organisation), ensure they are authorised to access that information (by means of a signed Non-Disclosure Agreement where applicable).

They must accept responsibility to protect the security of the information in line with this policy.
Given the nature of the information being shared, you’ll need to use one of the following methods to transfer it:

  • Email – recipients must be authorised to access the information, and the classification of the information must be clearly stated (eg. Sensitive/Confidential).
  • Online storage – Google Drive can be used for transient storage managed by Equal Experts. This should only be used to transfer client information and then sources deleted.

Documents must be put in an encrypted container before transferring. Be sure to share the de-encryption password separately and securely (text or email).

6.2. Data retention
Only retain information for as long as is needed for business purposes. Personal Data must not be retained for any longer than is reasonable for the purposes declared when the information was collected from the data subject.

When the retention period for information has passed, both the primary copy and all backup copies of that information should be erased.

 

Reviewed March 2020 by Sam McGregor, COO. For further information, feel free to contact our security team on security@equalexperts.com