Data Security Policy
Effective January 1, 2020
Web Bugs, Inc. ("Web Bugs", "we," "our," "us") provides services to users throughout the world and thanks you for visiting web-bugs.com, our Internet website ("Site"). If you use our services in the United States, Web Bugs Inc. (an Ohio corporation) is the data processor for your information. This Data Security Policy ("Data Policy") details Web Bugs' use of client-provided Information as defined below.
Note: This Data Policy is incorporated into and subject to the Terms of Service and, if applicable, the terms of your SaaS Agreement with us.
Table of Contents
- Employee requirements
- Data Leakage Prevention – Data in Motion
- Use of Encryption
Web Bugs must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical. It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.
- Any employee, contractor or individual with access to Web Bugs' systems or data.
- Definition of data to be protected
- You need to complete Web Bugs’s security awareness training and agree to uphold the acceptable use policy.
- You are required not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not authorized by Web Bugs. For example, corporate use of personal e-mail systems is not allowed.
- Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.
- You need to use a secure password on all Web Bugs systems as per the password policy. These credentials must be unique and must not be used on other external systems or services.
- Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
- You must immediately notify management in the event that a device containing in scope data is lost (e.g. mobiles, laptops etc).
- In the event that you find a system or process which you suspect is not compliant with this policy or the objective of information security you have a duty to inform management so that they can take appropriate action.
- If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from management if you are unsure as to your responsibilities.
- Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car.
- Data that must be moved within Web Bugs is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). Web Bugs will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with management.
- Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from management.
Data Leakage Prevention – Data in Motion
Web Bugs must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of in scope data is a critical business requirement, yet flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.
- Any Web Bugs device which handles customer data, sensitive data, personally identifiable information or company data. Any device which is regularly used for e-mail, web or other work related tasks and is not specifically exempt for legitimate business or technology reasons.
- The Web Bugs information security policy will define requirements for handling of information and user behaviour requirements. This policy is to augment the information security policy with technology controls.
- Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management.
- A Web Bugs manager will coordinate with the client to perform a DLP scan for ongoing data in motion in the proposed project design. It is important to note that this is a responsibility shared between Web Bugs and the client. Use of third party scanning software is available, but not standard.
- The DLP scan will attempt to identify large volumes (thus, of high risk of being sensitive and likely to have significant impact if handled inappropriately) of in scope data. In scope data is defined as:
- Credit card details, bank account numbers and other financial identifiersb.
- E-mail addresses, names, addresses and other combinations of personally identifiable information.
- Documents which are marked with personally identifiable or client intellectual property.
- Reasonable efforts will be made to prevent or mitigate the loss of in-scope data.
- Where there is an active concern of data breach, the IT incident management process is to be used with specific notification provided to Client's managment team.
Use of Encryption
Web Bugs must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers.
As defined by numerous compliance standards and industry best practice, full disk encryption is required to protect against exposure in the event of loss of an asset. This policy defines requirements for full disk encryption protection as a control and associated processes.
- All Web Bugs workstations – desktops and laptops
- All Web Bugs virtual machines not already within an encrypted environment
- When unavailable or unconfigurable in a given third party or hosted service.
- Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management.
- All devices in scope will have full disk encryption enabled.
- Where management is not possible and a standalone encryption is configured (only once approved by a risk assessment), the device user must provide a copy of the active encryption key to IT.
- Web Bugs Management has the right to access any encrypted device for the purposes of investigation, maintenance or the absence of an employee with primary file system access.
- The encryption technology must be configured in accordance with industry best practice to be hardened against attacks.