Security and Compliance Policy

1 - Purpose

The purpose of this Information Security Policy is to establish a framework for managing and protecting the information assets of Trade House Media.

This policy aims to ensure the confidentiality, integrity, and availability of all information handled by the company.

By implementing this policy, Trade House Media seeks to comply with applicable legal, regulatory, and contractual requirements, including GDPR and HIPAA.

The policy also aims to mitigate risks associated with information security threats and vulnerabilities.

2 - Scope

2.1. Departments

This policy applies to all departments within Trade House Media, including Administration, Software Development, Customer Support, and Sales & Marketing.

2.2. Types of data

The policy covers all types of data handled by the company, including Customer Personal Identifiable Information (PII), Employee Records, Financial Data, Project Specifications, Source Code, Testing Data, login credentials, and API keys for ad tech platforms.

2.3. Key information assets

Key information assets protected under this policy include the Customer Database, Employee Records, Financial System, Project Management Software, Source Code Repository, Office Network Infrastructure, Mobile and Web Applications, Company Website, and Internal Documentation.

3 - Information Security Objectives

Trade House Media aims to protect customer and employee data from unauthorized access, disclosure, alteration, and destruction.

The company seeks to ensure the availability of its information systems and services to authorized users.

Trade House Media is committed to maintaining the integrity of its data and information systems.

The company aims to comply with all relevant legal, regulatory, and contractual obligations related to information security.

4 - Data Classification

Data within Trade House Media is classified to ensure appropriate levels of protection are applied.

The classification levels include Public, Internal, Confidential, and Restricted.

Public data is information that can be freely shared without any risk to the company.

Internal data is intended for use within the company and should not be disclosed externally.

Confidential data includes sensitive information such as Customer PII and Employee Records, requiring strict access controls.

Restricted data is highly sensitive and includes information such as login credentials and API keys, necessitating the highest level of protection.

5 - Roles and Responsibilities

The Chief Information Security Officer (CISO), John Doe, is responsible for overseeing the development, implementation, and maintenance of the Information Security Management System (ISMS) at Trade House Media.

He ensures compliance with relevant legal, regulatory, and contractual requirements, including GDPR and HIPAA.

The Administration Department is tasked with managing and maintaining records of all security policies and procedures.

They are responsible for ensuring that all employees are aware of and adhere to the information security policies.

The Software Development Department is responsible for implementing secure coding practices and ensuring that all software products are developed with security in mind.

They must conduct regular security assessments and vulnerability testing on all software products.

The Customer Support Department is responsible for managing customer data securely and ensuring that any customer interactions comply with information security policies.

They must report any suspected data breaches or security incidents immediately to the CISO.

The Sales & Marketing Department is responsible for ensuring that all marketing activities comply with data protection regulations and that customer data is handled securely.

All employees are responsible for adhering to the information security policies and procedures.

They must report any security incidents or suspected breaches to their immediate supervisor or the CISO.

6 - Access Control

Access to Trade House Media's systems and data is restricted to authorized personnel only.

Employees are granted access based on their role and responsibilities within the company.

Access rights are reviewed regularly to ensure they remain appropriate.

All employees must use company-issued devices to access systems and data.

Two-factor authentication is mandatory for accessing all systems to enhance security.

Employees must use VPNs when accessing systems from outside the office to ensure secure connections.

Access to sensitive data such as Customer Personal Identifiable Information (PII), Employee Records, Financial Data, Project Specifications, Source Code, Testing Data, login credentials, and API keys is strictly controlled.

Access to this data is granted on a need-to-know basis and requires approval from the CISO.

Employees must not share their login credentials with others and must report any unauthorized access attempts immediately.

Regular audits are conducted to ensure compliance with access control policies and to identify any unauthorized access.

7 - Security Measures

Trade House Media is committed to implementing robust security measures to protect our information assets and ensure compliance with applicable legal and regulatory requirements.

Our physical security measures at the primary office location include card-based access control to prevent unauthorized entry.

Security cameras are strategically placed at all entrances and exits to monitor and record activities.

Visitors are required to sign in upon arrival and are escorted by authorized personnel throughout their visit to maintain security and confidentiality.

We have established a comprehensive change management process to manage system changes effectively.

All changes are meticulously tracked through a Change Management System to ensure accountability and traceability.

Before implementation, changes must receive approval from the Chief Information Security Officer (CISO) to ensure they align with our security policies.

Furthermore, all changes undergo rigorous testing in a separate environment to identify and mitigate potential risks before deployment.

To safeguard information during transmission, we employ industry-standard encryption protocols.

All data in transit is encrypted using SSL/TLS protocols to prevent interception and unauthorized access.

Our email system is fortified with secure email gateways to protect both outbound and inbound traffic, ensuring the confidentiality and integrity of communications.

In the event of a security incident, we adhere to a predefined Incident Response Plan to manage and mitigate the impact.

All incidents are promptly logged and thoroughly investigated to identify root causes and prevent recurrence.

Lessons learned from each incident are systematically incorporated into our security procedures to enhance our overall security posture.

We have developed a comprehensive Business Continuity Plan to ensure the resilience of our operations.

This plan includes regular data backups to secure locations and the establishment of a disaster recovery site to maintain business continuity in the event of a disruption.

Predefined roles and responsibilities are assigned to the management team to facilitate a coordinated response during a crisis.

Trade House Media is committed to maintaining the highest standards of information security to protect our assets and comply with GDPR and HIPAA regulations. Our security measures are continuously reviewed and updated to address emerging threats and vulnerabilities, ensuring the ongoing protection of our information assets.

8 - Training and Awareness

Trade House Media is committed to ensuring that all employees are aware of their responsibilities regarding information security.

Training programs will be conducted regularly to educate employees on the importance of protecting customer personal identifiable information, employee records, financial data, project specifications, source code, testing data, login credentials, and API keys.

All new employees will undergo an initial information security training session as part of their onboarding process.

Periodic refresher courses will be provided to all staff to keep them informed of any changes in security policies, procedures, and emerging threats.

Specialized training will be offered to employees in roles with elevated access to sensitive data, such as software development and administration.

The Chief Information Security Officer, John Doe, will oversee the development and implementation of the training programs to ensure they meet the company's security objectives and compliance requirements.

Employees will be required to acknowledge their understanding of the security policies and procedures upon completion of training sessions.

9 - Policy Compliance

Compliance with the information security policy is mandatory for all employees of Trade House Media.

Non-compliance with the policy may result in disciplinary action, up to and including termination of employment, depending on the severity of the breach.

Regular audits and assessments will be conducted to ensure adherence to the policy and to identify any areas of non-compliance.

Employees are encouraged to report any suspected violations of the policy to their supervisor or directly to the Chief Information Security Officer.

Trade House Media will take appropriate measures to investigate and address any reported incidents of non-compliance.

The company will ensure that all legal, regulatory, and contractual requirements, including GDPR and HIPAA, are met in relation to information security.

10 - Review and Updates

The information security policy will be reviewed at least annually to ensure its continued relevance and effectiveness.

Reviews will also be conducted in response to significant changes in the company's operations, technology, or regulatory environment.

The Chief Information Security Officer, John Doe, will be responsible for coordinating the review process and implementing any necessary updates to the policy.

Feedback from employees and stakeholders will be considered during the review process to ensure the policy remains practical and applicable.

Any changes to the policy will be communicated to all employees, and additional training will be provided if necessary to address the updates.

Trade House Media is committed to maintaining a robust information security management system that evolves with the changing landscape of threats and compliance requirements.

11 - Definitions