Data Security Policy Template

BACKGROUND

The [Executive.Company] ("Company") stays true to its commitment to safeguarding all data belonging to the Company. Establishing this Policy helps create a safe data environment as expected by our customers that keeps their trust and confidence in the Company.

PURPOSE

This Policy aims to provide security guidelines to the organization that will ensure the protection of client data from any unauthorized access and activities that may result in unwanted financial loss, ransom, or any crimes that may be committed by cybercriminals. Lost, stolen, or inappropriate disclosure of any data may cause unexpected loss and reputational risks for the client and the Company.

DEFINITION OF TERMS

1. Data refers to the collected data, including personal and sensitive information, from clients entrusted to the company.

2. Security refers to protecting a certain asset, in this case, the client and company data.

3. Data Security refers to protecting client and company data from malicious attacks such as phishing, hacking, and other fraudulent activities that may compromise company integrity and confidentiality.

4. Unauthorized Access refers to an activity where a person tries to gain illegal access to a certain application to acquire information from an authorized user or company.

5. Cybercrime refers to any unethical or illegal activities involving the heavy use of computers and the internet to commit a crime online with the sole purpose to cause harm to someone or a company’s security, especially those activities affecting their financial health.

6. Cybercriminal refers to an individual or a group excelling in acquiring data online only to engage in cybercrime.

7. Phishing refers to any fraudulent activity that masks itself as an official and reputable entity in all forms of communication, especially through emails. These cybercriminals, for example, will send an email with a seemingly official update from the user's bank account through its distributed attachments and links. These links will help them access a victim's account should it be successfully filled out.

8. Ransomware refers to a type of malware (“malicious software”) that blocks and locks a software system or computer files, making the user lose access or entitlement to a certain application or files. Upon receipt of a ransom demand, cybercriminals promise to return the user's access and entitlement to that system or files.

PERSONNEL RESPONSIBILITIES

All personnel under the Company are encouraged to be aware of how to protect and properly handle all data belonging to the Company. This will safeguard the trust of our clients and enable compliance with all the necessary procedures related to this Policy for client and Company safety.

These action steps are formulated through this Policy to mitigate the risk of any unauthorized access and loss or stolen information, which is strictly implemented by the Company and is part of data security. 

Equipment provided by the Company, such as laptops, mobile devices, or computers, is solely for business use only. It is expected of every employee they utilize and maximize their equipment to deliver the assigned task and responsibilities. To that end, all employees shall:

​

1. Properly shut down or lock the laptop or computer when not in use.

2. Keep login credentials safely stored in a password management system provided by the Company. Employees should not share these credentials with any colleagues or anyone connected to the employee.

3. Beware of accessing any links that require details such as birthdates, card numbers, email addresses, ID numbers, and other related personal and sensitive data.

4. Avoid sharing any company data or information, especially with person/s not in the Company circle or in the business to know.

5. Always keep in mind that there is no place safe for the data, and avoid any applications or databases not configured or commissioned by the Company. There are proper safekeeping procedures and processes that need to be followed.

6. Never attempt to connect to any public wi-fi or mobile data from unknown sources that may risk the network. This includes airports, fast food chains, coffee shops, libraries, and malls as these places are a great opportunity for cybercriminals to execute their data hunting.

7. Use Company-provided secure equipment (e.g., USB sticks, flash drives, file shares, etc.) when transferring data within the Company. Do not use personal equipment as the IT department will provide an encrypted asset to ensure the security of the data files. The employee must not share files or data outside the company-owned equipment.

8. All data transported outside the Company via email or on portable devices (e.g., USB sick or laptop) must be encrypted in line with Company policy. 

9. All employees are encouraged to keep a low profile and not post anything on social media that threaten someone’s security, especially regarding financial cards, whereabouts, or any details that may be used in unlawful activities.

10. All employees are encouraged to be educated about all the aspects of Data Privacy and Customer Protection for additional knowledge that could help in data protection awareness.

11. All employees must immediately report any suspicious emails, text messages, links and activities to be investigated and not to cause further damage to Company’s systems, applications, and databases.

12. All employees are required to attend any seminars, webinars, meetings, and conferences conducted by the Company to help expand their knowledge on data security and broaden their minds to let them be an advocate of data protection for the sake of the clients and the Company.

13. Client data is accessible only to those departments that have the business-to-know and process any transaction concerning requests, updates, and upgrades of the client. The said assigned individual or group of processors of data will be the only one who can access such applications or databases and has been restricted only to the Company domain. Consent for data usage by the third party/ies should be at the discretion of the client.

14. The individual or group of processors should outline the data from personal data (Last Name, First Name, birthdate, address, contact number/s) to sensitive personal data (card number/s, medical history, government-issued ID/s) according to the requirement and solely dependent on the requested process, updates, and upgrades made by the client.