Cyber Security Policy
Brief & Purpose
Our Firm’s cyber security policy outlines our guidelines and provisions for ensuring the security of our data and technology infrastructure.
The high dependency on technology to collect, manage and store information, may make us more vulnerable to severe security breaches. Human errors, malicious attacks and system malfunctions could cause great monetary damage or may result in jeopardizing our Firm’s reputation.
Considering this, we have several security measures implemented. We have also placed instructions and procedures that may help mitigate security risks. We have engulfed both provisions in this policy.
This policy applies to all our permanent and temporary employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.
Confidential data is secret and valuable to the Firm. Some common examples are:
● Unpublished financial information
● Data of clients/partners/contractors/vendors
● Product/Methodology/Codes/Training Contents/Applications/Formulas or new technologies etc
● Client lists (past, existing and prospective)
All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.
Personal and Firm Devices Protection
Employees while using their digital devices to access Firm’s emails or accounts, may introduce security risk to our data. We regularly advise our employees to keep their personal as well as Firm-issued computer, tablet and cell phone secure. They can do this if they:
● Keep all devices protected with strong passwords.
● Install and upgrade a complete antivirus software.
● Ensure they do not leave their devices exposed or unattended, guiding them with the device issued contract.
● Install security updates of browsers and systems monthly as soon as updates are available.
● Accessing Firm accounts and systems through secure and private networks only.
We also advise our employees against accessing Firm’s internal systems and accounts from other people’s devices or letting others to access their devices.
When new hires or current employees receive Firm-issued equipment they may receive instructions for:
● [Disk encryption setup]
● [Password management tool setup]
● [Installation of antivirus/ anti-malware software]
● [Best Practices Tutorial Video to ensure data safety]
Employees are required to follow instructions to protect their devices and reach to our Security Specialist if they have any questions.
Emails often serve as a field to scams and malicious attacks. To avoid virus or data theft, we instruct employees to:
● Avoid opening attachments and clicking on links when the content is not explained adequately and email is not from trustable source(e.g. “watch this video, it’s amazing.”)
● Not to fall for clickbait titles (e.g. offering prizes, advice.)
● Check email id and names of people they received a message from to ensure they are legitimate.
● Look for minute clues (e.g. spelling mistakes, grammatical mistakes, capital letters, excessive number or exclamation marks etc)
If an employee isn’t sure that an email they received is safe, they can refer to our Security Specialist.
Adequate Password Management
Password security is of high priority as leakage of this can be most dangerous since they can compromise our entire infrastructure and data. Not only should passwords be strong so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to:
● Choose passwords with at least eight characters (including capital and lower-case letters, numbers and special characters) and avoid information that can be easily guessed (e.g. birthdays, anniversaries etc.)
● Remember and never write down the passwords. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
● Never exchange credentials until and unless asked officially in writing from firm’s authorised personnel.
● Change their passwords every quarter.
We even have services of a reputed password management tool in place which generates random strong passwords and stores them. Employees dealing with critical data are obliged to create a secure password from the tool itself, following the above mentioned advice.
Transfer Data Securely
Transfer of data securely is among our top priorities as it is prone to security risk. Employees must:
● Avoid transferring sensitive and critical data (e.g. client information and data, employee records,) to other devices or accounts unless absolutely necessary and authorised by the firm. Approach Security Specialists for any mass transfer of such data.
● Sharing of confidential data should not be done over public Wi-Fi.
● Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
● Report scams, privacy breaches and hacking attempts immediately to Security Specialists.
Our Security Specialists need to know about scams, breaches and malware immediately so they can better protect our infrastructure. We advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our Security Specialists must investigate promptly, resolve the issue and send a Firmwide alert when necessary.
Our Security Specialists are appointed for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
To reduce the possibilities of security breaches, our employees are instructed to:
● Turn off their screens and lock their devices when leaving their desks.
● Report stolen or damaged equipment as soon as possible to [HR/ IT Department].
● Change all account passwords at once when a device is stolen or missing.
● Report a perceived threat or possible security weakness in Firm systems.
● Refrain from downloading suspicious, unauthorized or illegal software on their Firm equipment.
● Avoid accessing suspicious websites.
● Refrain from opening and responding to emails received from outside the Firm.
We also expect our employees to comply with our social media and internet usage policy.
Our Security Specialists should:
● Install firewalls, anti malware software and access authentication systems.
● Arrange for security training to all employees.
● Inform employees regularly about new scam emails or viruses and ways to combat them.
● Investigate security breaches thoroughly.
● Follow these policy provisions as other employees do.
Our Firm will have all physical and digital shields to protect information.
Remote employees must follow this policy’s instructions too. Since they access our Firm’s accounts and systems remotely, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network security.
We encourage them to seek advice from our Security Specialists.
We employees are expected to always follow this policy and those causing security breaches may face disciplinary action:
● First-time, unintentional, small-impact security breach: We may issue a verbal warning and train the employee on security and its best practices.
● Intentional, repeated or large impact breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
We will examine each incident on a case-by-case basis.
Additionally, employees who are disregarding our security instructions and policy will face progressive discipline, even if their behavior hasn’t resulted in a security breach.
Security: A Serious Matter
Everyone, from our clients and partners to our employees, contractors, and vendors should be confident of their data safety. To achieve this we have to proactively protect our systems and databases. Staying vigilant and keeping cyber security top of mind can all contribute to this.