Information Security Policy

Information Security Policy

1. Purpose

The company must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively.
It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

2. Scope

Data Classification
  • Public: Any type of data that is not personal or sensitive and is accessible by anyone.
  • Internal: Data not intended for public disclosure but has low security requirements.
    • eg data in the Causal Map folder at Google Workspace
  • Confidential: Data that could create moderate risk if disclosed to an unauthorized user.
    • eg data in the Causal Map Management folder at Google Workspace
    • eg data in the Public section at Notion
  • Restricted: The highest level of sensitive data that could put an organization at severe risk if disclosed to an unauthorized user.
    • In particular, client data including their data in the Causal Map app and associated files.
2.1 In Scope
This data security policy applies all customer data, personal data, or other company data defined as sensitive. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with company IT services is also subject to this policy.
2.2 Out of Scope
Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by company management based on specific business needs, such as that protecting the data is too costly or too complex.

3. Policy for internal and contracted users

3.1 Principles
The company shall provide all employees and contracted third parties (the “users”) with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.
3.2 General
a. Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions.
b. The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts e.g. help@causalmap.app.
c. Each user shall read this data security policy and the login and logoff guidelines, and sign a statement that they understand the conditions of access.
d. Records of user access may be used to provide evidence for security incident investigations.
e. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.
3.3 Access Control Authorization
Access to company IT resources and services will be given through the provision of a unique user account based on an email address and complex password.
3.4 Network Access e.g. to Google Workspace, Notion, the Causal Map app
a. All employees and contractors shall be given network access in accordance with business access control procedures and the least-privilege principle.
3.5 User Responsibilities
a. All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
b. All users must keep their workplace clear of any sensitive or confidential information when they leave.
c. All users must keep their passwords confidential and not share them.
3.6 Application and Information Access
a. All company staff and contractors shall be granted access to the data and applications required for their job roles.
b. All company staff and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.
c. Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.
3.7 Access to Confidential, Restricted information
a. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by line management.

4. Reporting Requirements

This section describes the requirements for reporting incidents that happen.
a. Daily incident reports shall be produced and handled by the IT Director in the event of an incident.
b. High-priority incidents shall be immediately reported to the IT Director (SP).
 

5. Definitions

This paragraph defines any technical terms used in this policy.
  • Data owners are employees / contractors who have primary responsibility for maintaining information that they own.
  • Users include everyone who has access to information resources, such as employees, trustees, contractors, consultants, temporary employees and volunteers.
  • Database — An organized collection of data, generally stored and accessed electronically from a computer system.
  • Encryption—The process of encoding a message or other information so that only authorized parties can access it.
  • Firewall — A technology used for isolating one network from another. Firewalls can be standalone systems or can be included in other devices, such as routers or servers.
  • Server — A computer program or a device that provides functionality for other programs or devices, called clients.
 
We reserve the right to change this policy at any given time, in which case we will update you.