In2ition Information Security Policy and Protocols
In2ition has implemented the following procedures in order to protect the security of the information generated and maintained by our firm. This policy will be maintained by in2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers.
Company Level
- In2ition typically partners with outside firms and contractors to conduct fieldwork and/or provide data analysis services. In2ition requires all outside resources to sign a non-disclosure agreement to help ensure that those parties do not inappropriately use or share confidential materials used for projects. Please see attached for a copy of our standard NDA document. Electronic copies of these signed documents are retained on our company SharePoint and updated when needed. Any files containing sensitive information are protected with passwords.
Network Level
- In2ition has engaged A&J Computers to host in2ition’s website and exchange server. A&J uses multiple software products to protect against malicious code at the host and network level. Please see attachment for a more detailed description of these controls.
- In2ition has engaged ASI to manage and handle all cyber threats and attacks.
User Level
- All users with network access or email accounts are required to reset their passwords every 90 days. Passwords must be at least 8 characters long. It should contain characters from the four primary categories, including: uppercase letters, lowercase letters, numbers, and characters.
- Data cannot be accessed or stored on mobile devices.
- Implementing freeware or shareware applications on computing devices is not allowed. Contact Beth Larson if you need freeware or shareware.
- Minimum security baseline standards (device security configuration standards) for end user devices (desktops, laptop computer, any tablet, smart phone, or other mobile device) anti-virus is required.
- End user device operating system versions that no longer have patches released (end of life systems) are prohibited.
Data Protection Impact Assessment
- A DPIA analysis is conducted annually to assess how personal data is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of personal data in identifiable form in any asset; and to examine and evaluate protections and alternate processes for handling personal data to mitigate potential privacy concerns. A formal document is created that details the process and the outcome of the analysis.
Information Systems Access Control Policy
- The purpose of this policy is to define the roles and responsibilities that have access and control of in2ition’s information systems access.
- Senior analysts, Moderators, Project Managers and Senior Consultants will have information systems access granted for active projects they are assigned. Folder permissions will only be granted when necessary after conflicts have been assessed.
- In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will request access from A&J Computers.
- User access to information systems will be disabled upon user termination, user role change, or when no longer required. In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will request access is disabled from A&J Computers.
- In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will review this policy with ASI and A&J Computers once per quarter, or anytime a person joins or leaves in2ition.
Asset and Information Management Policy
- All Information assets will be documented and managed in the in2iiton Asset and Information Database. In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will review the database annually, or whenever an asset is added or removed.
- In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers are responsible for ensuring Information Assets are inventoried, classified, protected, and decommissioned properly.
- Upon termination in2ition’s Owner, Beth Larson or Chief Compliance Officer Emily Zellers will verify the return of computers and cell phones.
- All media containing client data must be destroyed when the data is no longer required.
- All client data that is sent or received electronically must be password protected and encrypted.
- All client data stored or transferred in SharePoint should be password protected.
Data Retention Policy
The purpose of this policy is to create a data and records retention policy or process that includes a retention schedule for client data. In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will maintain and review the data and records retention policy.
- All client data, including raw data in Excel, audio recordings and paper transcripts will be retained for 12 months.
- After 12 months, all client data will be deleted unless a different schedule is requested by the client (i.e., data will be retained longer for tracking studies where trending year on year is required).
- All client files (surveys, interview guides and reports, etc.) will be retained for a minimum of 5 years unless a different schedule is requested by the client.
- Backup copies for client data are required using the same process that is used for original data (password protection and encryption).
- All international data will be collected through vendors that are GDPR compliant. In2ition requests documentation for GDPR policies annually, or whenever using a new vendor for international work. In2ition will never receive or maintain personal data for international respondents.
Records Retention Policy
- All paper and electronic records, including email, that support applicable regulations, standards and contractual requirements will be retained for 5 years, unless otherwise specified by a client.
Privacy/Personal Information Collection & Retention
- Any personal data for individuals collected on behalf of clients needs to be maintained, retained, transmitted and destroyed per the per the Information Systems Access Control, Asset and Information Management, Data Retention and Records Retention Policies noted earlier. This includes using GDPR compliant vendors to handle international data.
- In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will be responsible for reporting unauthorized acquisition, use, or disclosure of client data.
Compliance and Operational Risk
- All in2ition people must comply with legislative, regulatory and contractual requirements. The requirements will be reviewed with the client and in2ition team during project kickoff calls.
- In2ition’s Code of Conduct and Standards will be reviewed annually by all employees. It covers the non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities.
Cybersecurity Incident Management
In2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will maintain and review the Cybersecurity Incident Management.
- In the event of a cybersecurity threat, ASI will be contacted to help identify, eliminate and recovery.
- In2ition will notify clients, regulatory bodies, and third parties about a potential or confirmed cyber-attack.
- If ASI identifies an exploited vulnerability, they will take corrective action to remove malware, inappropriate materials and other components, and remediating any affected systems discovered.
Threat Management and Vulnerability
Chief Compliance Officer Emily Zeller is assigned to maintain and review this policy.
- Vulnerability scans are performed periodically and upon changes to IT environment against organizational Information Systems (servers, desktops, laptops, mobile devices and other hardware operating systems, networks and software).
- In2ition will document and track remediation of vulnerabilities/issues identified during vulnerability assessment and penetration testing.
- Vulnerability Scans will be performed by A&J Computers periodically and upon changes to IT environment against organizational Information Systems.
- A&J Computers will document and track remediation of vulnerabilities/issues identified during vulnerability assessment and penetration testing.
Anti-Malware Policy
Chief Compliance Officer Emily Zellers is assigned to maintain and review this policy.
- Anti-malware program/application/software is required to be installed and configured on all organizational Information Systems (servers, desktops, laptops, mobile devices and other hardware operating systems, networks and software).
- In2ition prohibits users from disabling anti-malware programs.
Endpoint Device Security
Chief Compliance Officer Emily Zellers is assigned to maintain and review this policy.
- Antivirus is required for all end user devices. All endpoints are required to be encrypted.
- If a mobile device is stolen / lost or an employee leaves the organization, in2ition’s Owner, Beth Larson and Chief Compliance Officer Emily Zellers will contact A&J Computers and they will securely wipe all the organization’s data from the device.
- End user device operating system versions that no longer have patches released (end of life systems) are prohibited.