INFORMATION SECURITY POLICY
Last revised: 01 August 2023
BPO Holding LLP (hereinafter referred to as “BPO Holding”, “we” or “us”), provides outsourcing services in IT (computer programming, standard software development, information technology consulting, and recruitment of IT developers to a variety of customers by engaging high-quality specialists).
During its business, BPO Holding may process some information, in particular store, use and transmit it in all its forms, such as written, spoken, recorded electronically or printed (“Information”). Thus, the Information should be appropriately secured to protect against the consequences of breaches in confidentiality, failures of integrity, or interruptions in availability, by means of establishing an appropriate level of security over the Information, as well as over equipment and software used to process it.
BPO Holding seeks to monitor and provide control over access rights granted to individuals with regard to the Information and respective BPO Holding systems, that contain respective Information (hereinafter referred to as “Information System”), as well as services and/or infrastructure, which are used for the processing of Information (“Information Processing Facilities”). In this Information Security Policy we provide guidelines on the classification of Information, as well as impose rules on granting and receiving access to particular classes of this Information.
This Information Security Policy applies to all individuals working for us, whether on a permanent or temporary basis, including full-time and part-time employees, contract workers, agency workers, business partners, consultants and vendors (each of them referred to as “Authorized Persons”) that are given access to the Information System and use our assets, especially Information Processing Facilities.
RESPONSIBILITIES
Access control responsibilities are as follows:
BPO Holding’s Manager shall:
· determine and support BPO Holding’s access control strategy;
· appoint an employee responsible for Information Security Policy (“Information Security Officer”);
· ensure the satisfactory resolution of problems relating to the provision of access to said Information, when in response to the concerns expressed by the Information Security Officer, significant changes are deemed necessary.
The Information Security Officer shall:
· ensure that this Information Security Policy and respective procedures/standards address all our requirements;
· ensure that logon and Information System access procedures meet defined requirements;
· ensure that data and applications are safe in project development environments;
· assist Authorized Persons in their day-to-day use of Information System by performing basic account administration functions, including the unlocking of locked accounts, resetting passwords, and providing instruction;
· investigate all actual or suspected incidents with information security and take measures to restore an appropriate level of information security.
CLASSIFICATION OF THE INFORMATION
All BPO Holding’s Information shall be assigned to one of the following classes:
· Public
Information that is freely available and accessible to the public without any restrictions on access to it, such as public records or news reports, does not need to be tracked or monitored. Hence it is not required to implement any specific protection mechanisms for Information of this type.
· Internal
Information created or bestowed upon BPO Holding by partners or clients, whose unauthorized disclosure might cause short-term harm to the business reputation of BPO Holding (“Internal Information”). This Information needs to be kept in secret to protect business interests as well as to ensure continued client trust. Internal Information may be stored in any way except external publicly available sources (e.g. the web-space) which should be transmitted through channels and minimally secured by virtual private networks (VPN). This virtual access to Internal Information requires authentication. Physical access shall be given to any Authorized Person. All third persons, including but not limited to visitors of premises or websites of BPO Holding, shall be prevented from access to Internal Information.
· Confidential
Business sensitive data, disclosure of which can adversely impact BPO Holding’s, its partner’s and/or clients' business position, and their market value (“Confidential Information”) must not be disclosed to unauthorized persons, because they come under the purview of regulations, contracts or business agreements. This type of Information may be stored exclusively on specifically managed and monitored servers and should be transmitted in encrypted form. Virtual access to Confidential Information requires authentication. Physical access shall be given to certain Authorized Persons on a “need to know” basis. Other Authorized Persons and all the third persons, including but not limited to visitors of premises or websites of BPO Holding, shall be prevented from access to Confidential Information.
Where the components of Information may refer to different classes, such Information should be assigned to the class providing the greater level of security among the suitable options.
ACCESS CONTROL
Access rights to a particular class of Information and respective Information Processing Facilities will be strictly restricted to those persons who have a bona fide business need to access the Information. BPO Holding’s authorization decisions for granting, approval, and review of access are based on the following principles:
· The need to know principle, due to which every Authorized Person will be granted access to Information System that is necessary to fulfill their roles and responsibilities.
· The least privileged principle, according to which the access rights granted to every Authorized Person are restricted to the resources required for a particular Authorized Person to perform their duties. Thus, some persons (e.g. Information Security Officer) shall be granted privileged rights (for instance, administrative access). Exercise of privileged rights shall be strictly limited to program installation and Information System reconfiguration. For the avoidance of doubt, privileged rights shall not be used for standard activities and not be provided by default. BPO Holding guards against issuing privilege rights to entire teams to prevent potential losses of Information confidentiality and/or integrity.
· The default deny principle, under which all incoming and outgoing traffic is prohibited unless it is expressly permitted based on protocol, port, source, and destination.
Access control methods used by default include:
· establishment of explicit Information System logon procedures;
· Windows share and file permissions to files and folders;
· account privilege limitations;
· server and workstation access rights;
· firewall permissions;
· database access rights;
· encryption at rest and in flight;
· any other methods as contractually required by interested parties.
Where possible, we set accounts to automatically expire at a pre-set date. More specifically, when temporary access is required, such access will be removed immediately after the respective Authorized Person has completed the task for which the access was granted.
We permanently maintain lists of the following Authorized Persons:
· Authorized Persons responsible for granting access to particular Information and respective Information Processing Facilities;
· Authorized Persons who are authorized to access specified Information and respective Information Processing Facilities.
Existing accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include the following:
· an active account assigned to the former Authorized Person cooperation with whom has been suspended or terminated;
· an active account with access rights which do not correspond to the powers of the Authorized Person.
Access rights which are not necessary to be granted to a respective Authorized Person (for instance, due to a change of position of an Authorized Person) should be immediately removed. BPO Holding takes appropriate measures to cancel/delete accounts and all access rights of those persons whose commitment to BPO Holding is suspended or terminated for any reason.
Visitors who require internal network access will need permission of the Information Security Officer. Visitor's use of Authorized Person’s credentials is not permitted under any circumstances.
INFORMATION SYSTEM ACCESS CONTROL
Minimum requirements for Information System access control are the following:
· keeping valid individual identifications and passwords for all Information System access;
· keeping records of successful and unsuccessful Information System accesses;
· keeping a recent logging history;
· employment of efficient control authorization schemes;
· providing default configuration for proper provision of access rights;
· ensuring differentiation of access rights (profiles, roles, and objects); and
· review of access rights on an ongoing basis
LOGON PROCESS
Access to Information System is to be via a secure logon process, which should comply with the following minimal requirements:
· not to display Information System or application prompts (except for the regular ones, for instance as referred to Caps Lock settings) until the logon process has been completed;
· to validate the logon information only on completion of all input data;
· to limit the time allowed for the logon process;
· to allow only three (3) unsuccessful logon attempts before restricting the Information System access rights;
· to keep the records of unsuccessful logon attempts;
· to provide multi-factor authentication for administrative access.
If the Authorized Person reasonably believes that the Information System has been accessed by the person without sufficient access right, it should be immediately reported to the Information Security Officer.
We maintain a process for:
· providing reports of invalid logon attempts (upon necessity);
· preventing, detecting and reacting to systematic attacks on the Information System (or on its hardware or software components).
PASSWORD STANDARDS
BPO Holding applies strong password standards to reduce the chances of intruders gaining access to Information System through the exploitation of Authorized Persons’ accounts.
BPO Holding’s password management system should ensure at least the following:
· to force the Authorized Persons to change temporary (initial) passwords at the first logon;
· not to display the password while being entered;
· to allow Authorized Persons to change their passwords and, during such changes, to force them to provide a new password at least two (2) times to prevent typing errors;
· to restrict maximum password lifetime to ninety (90) calendar days for all accounts;
· to store password files in encrypted form separately from the other Information System datasets;
· to restrict access to password files to the Authorized Persons with administrative access;
· to delete or alter default IDs and passwords following the installation of software.
The Authorized Persons should adhere to the following rules:
· to use individual passwords to maintain accountability;
· to keep the passwords in a secret, not to share the passwords with any other persons, including any other Authorized Person;
· not to use Information System account passwords (or related passwords) for personal accounts;
· to obtain administrative access based on a unique password which is used exceptionally for administrative account logon;
· to maintain a password of a minimum length of eight (8) characters;
· not to base the passwords on any of the following:
· months of the year, days of the week or any other aspect of the date;
· family names, initials, or car registration numbers;
· company names, identifiers, or references;
· telephone numbers or similar all-number groups;
· user identification, user name, group identification, or another system identifier;
· more than two (2) consecutive identical characters;
· all-numeric or all-alphabetic groups;
· cliche patterns (or their variations), such as “aaabbb”, “qwerty”, “zyxwvuts”, “123321”, “Welcome123”, “Password123”, “Changeme123” etc.
· not to write down and/or store a password in web-space without encryption;
· not to reveal a password in email, chat, or other electronic communication;
· not to reveal a password on questionnaires or security forms;
· not to speak about a password in front of others;
· not to hint at the format of a password (e.g. “my family name”);
· to always decline the use of the “Remember Password” feature.
If someone demands an Authorized Person to provide their password, the Authorized Person should refer them to this document and direct them to the Information Security Officer.
COMMUNICATION STANDARDS
Conversation
Transfer of any portion of the Information by means of conversation should always occur only inside those premises which are appropriately secured from any unauthorized access. In particular, the Information cannot be communicated in public places or in the presence of unauthorized persons.
Information must be transmitted exclusively via accounts created and maintained by BPO Holding.
Confidential Information, if sent over e-mail, should be transmitted with appropriate safeguards:
· the mail title should not include sensitive details;
· browsers should be set up in compliance with generally accepted security standards (e.g. passwords are not saved, temporary internet files are deleted on exit from the Information System, etc.);
· personal use of e-mail should be kept to a minimum;
· personal e-mails shall be saved separately from business e-mails, at least in a single folder;
· no Confidential Information should be sent as part of, or attached to, an e-mail message unless the Confidential Information is encrypted;
· e-mail attachments are a common source of malicious software and particular care is to be taken before opening any attachments, especially if the message is not from a trusted source;
· messages that are forwarded by Authorized Persons to third party (receiver) should not contain any portion of BPO Holding’s Information, regarding which the respective receiver is not granted access rights.
Telephone
There will be occasions when telephone enquiries are received asking for the disclosure of Information. When this disclosure is legally justified and the caller has a legal right to access that Information, the following rules should be adhered to:
· to verify the caller’s personal details;
· to obtain and record the caller’s telephone number;
· if the caller is acting on behalf of an organization, the main switchboard number of that organization should be obtained and used to call back;
· to conduct the call in an area that is private (where the persons without sufficient access rights cannot overhear);
· not to leave unattended any notes made during the calls and keep them in a secure place (locked away);
· to immediately refer any suspect inquiries to the Information Security Officer;
· to always provide not more than the minimum amount of Information that is necessary within the request;
· if in doubt, the caller should be advised that they will be called back upon clarifying necessary data.
Communication By Post
Incoming:
· to ensure that the incoming post is received in an environment away from public interference (e.g. not left on the receptionist’s desk in a waiting area unattended);
· to open incoming mail away from public areas;
· to ensure that the post is stored securely and picked up frequently.
Outgoing:
· to perform at least a double-check of addresses;
· to mark post clearly with names and addresses;
· for important letters/parcels, to ask for confirmation of safe arrival;
· where it is possible, to send the post with a person specially authorized by BPO Holding for the performance of such functions.
Text messages and telephone conversation:
· to check that the mobile number is correct and be confident that the person using the recipient’s mobile is the person to whom the message is intended;
· to use specifically those types of messengers which maintain up-to-date and appropriately secured encryption methods;
· to never save any files onto the hard drive of your mobile device;
· to always dial in with a secure token when accessing files;
· to make sure to save files to BPO Holding’s network drive;
· to never access Internal or Confidential Information on your mobile device;
· not to leave the unlocked mobile device unmanned.
When using a telephone as the method of communication, a minimum amount of Information should be sent, due to the fact that mobile phone networks may be open to additional risks of eavesdropping or interception.
STORAGE AND TRANSFER OF DOCUMENTS:
Due care must be taken when storing and transferring paper documents containing Internal or Confidential Information:
· to store relevant documents locked away in a cupboard or cabinet;
· to never leave relevant documents unattended;
· to record what documents are taken off-site, from a department, or from the BPO Holding’s premises, and if applicable, where and to whom the documents have gone;
· to ensure that the relevant documents are returned as soon as possible;
· to record that the relevant documents have been returned.
REMOTE ACCESS
Authorized Persons should strictly follow BPO Holding’s requirements regarding maintaining security issues while obtaining and exploiting remote access to Information System accounts:
· Secure remote access must be strictly controlled. Such control shall be enforced via one-time password authentication or public/private keys with strong passphrases. No uncontrolled external access to BPO Holding’s network will be permitted.
· At no time should Authorized Persons provide their login or e-mail password to anyone.
· Authorized Persons must ensure that their owned or personal computer or workstation, which is remotely connected to BPO Holding’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the Authorized Person.
· Authorized Persons must not use non-corporate e-mail accounts, or other external resources, to conduct BPO Holding business, thereby ensuring that official business is never confused with personal deals.
· BPO Holding’s Authorized Persons shall install and employ the authorized full disk encryption software on their laptops unless an approved exception has been authorized by the Information Security Officer for appropriate business purposes.
· Routers configured for access to the BPO Holding network must meet minimum authentication requirements.
· Non-standard hardware configurations must be approved by the Information Security Officer, and BPO Holding must approve security configurations for access to hardware.
· All PCs, laptops and workstations that are connected to BPO Holding internal networks via remote access technologies must use the most up-to-date anti-virus software.
· Personal equipment that is used to connect to BPO Holding’s networks must meet the requirements of BPO Holding-owned equipment for remote access.
· Individuals who wish to implement non-standard remote access solutions to the BPO Holding production network must obtain prior approval from the Information Security Officer.
MALWARE PROTECTION
All servers must have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system.
If the target system is a mail server, it must have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server.
All items connected to BPO Holding's intranet need to have up-to-date anti-virus products and a firewall installed. All Information Processing Facilities running a Windows operating system must have Microsoft security updates enabled.
BPO Holding keeps anti-virus products up-to-date with virus definitions and security settings. The Information Security Officer is responsible for notifying Authorized Persons of any credible virus threats, whereas the latter is required to comply with instructions received from the Information Security Officer.
No software is to be downloaded from the Internet without prior approval of the Information Security Officer.
BACK-UP PROCEDURE
The Information must be regularly backed-up. This ensures that the Information which is lost, stolen or damaged can be restored and its integrity maintained.
· The backup media will be stored in appropriately secured cloud platforms (in particular, Microsoft Azure: West Europe Azure Availability Zone).
· The frequency and extent of backups must be in accordance with the importance of Information and the acceptable risk.
· The Information backup and recovery process must be duly documented. At least the following data should be specified:
oa list of the specific Information to be backed up;
othe types of backup to be used (e.g. full backup, incremental backup, etc.);
othe frequency and time of data backup (every 12/24 hours);
othe storage media to be used for backup purposes;
oany requirements concerning backup archives;
othe process for Information recovery using backup data.
· The Information backup and recovery process is subject to periodic reviews.
Backup copies must be stored with a short description that includes at least the following data:
· backup date;
· source name;
· type of backup method (full or incremental).
Backup requirements:
· Backup software shall be scheduled to run nightly to capture all data from the previous day.
· Backup logs are to be reviewed to verify that the backup was completed.
· In case of a disaster, backup tapes should be available for retrieval and not subject to destruction.
· Data on hard drives shall be backed up daily, and mobile devices shall be brought in to be backed up on a weekly basis (or as soon as practical) if an Authorized Person is on an extended travel arrangement.
· IT backup systems should be designed to ensure that routine backup operations require no manual intervention.
CHANGES TO THIS INFORMATION SECURITY POLICY
We may from time to time, modify or update this Information Security Policy, upon which we will also update the Last revised date specified above in this document. You are advised to visit this page regularly for the latest information on our information security practices.
CONTACTS
If you have any questions regarding this Information Security Policy, please contact us via the following details:
Postal address (BPO Holding LLP): Unit 2042, 2nd Floor, 6 Market Place, Fitzrovia, London, United Kingdom, W1W 8AF.
Email: contact@bpoholding.com