Policies / Our Promises and Agreements

Available Policies

General Security Policy

last updated: 10 December 2024

TeamKinetic - General Security Policy

Written by: Rolf Herbert

Reviewed by: Chris Martin

Date: 08/10/2024

1. Introduction & Scope

Purpose: The primary purpose of the Security Policy is to establish a comprehensive framework for managing information security within TeamKinetic. This includes protecting sensitive data, ensuring compliance with relevant regulations, and maintaining the integrity and confidentiality of information throughout the project lifecycle. The policy aims to safeguard against data breaches and other security incidents by implementing robust security measures and protocols.

Audience: The Security Policy's audience includes all personnel delivering projects and support services at TeamKinetic, including employees, contractors, and subcontractors with sensitive information access. The policy ensures that all staff are aware of their data protection and information security responsibilities, including ongoing training and awareness initiatives.

Scope: The scope of the Security Policy covers all aspects of information security management within TeamKinetic, including:

  • Security Governance
  • Security Certification
  • HR Security
  • IT Operations
  • Software Development 
  • Network and Cloud Security
  • Physical Security
  • Business Resilience
  • Supply Chaine Management 
  • Data Protection
  • AI
  • Financial Risk
  • Depreciation controls

Specific policies for each of these areas are available here.  The following summarises critical policy areas associated with security.

Data Security

Data Classification: 

All data is adequately protected in accordance with its classification, thereby minimising the risk of data breaches and ensuring compliance with relevant regulations.

 Data Classification Categories Data will be classified into the following categories based on sensitivity:

  • Public Data: Information that is freely available to the public and poses no risk if disclosed. Examples include marketing materials, press releases, and publicly available reports. Handling requirements:
    • No special handling requirements.
    • Can be shared without restrictions.
  • Internal Data: Information intended for internal use only. This data is not classified as confidential but should not be disclosed outside the organisation without proper authorisation. Examples include internal policies, procedures, and operational data. Handling requirements:
    • Access should be limited to employees and authorised personnel.
    • Should be stored securely and shared only through secure channels.
  • Confidential Data: Sensitive information that, if disclosed, could harm the organisation or individuals. This includes personal data, financial information, and proprietary business information. Handling requirements:
    • Access should be restricted to individuals with a legitimate need to know.
    • Must be encrypted during transmission and storage.
    • Should not be shared without explicit consent from the data owner.
  • Restricted Data: Highly sensitive information that requires the highest level of protection. This includes data subject to legal or regulatory requirements, such as health records and sensitive personal information. Handling requirements:
    • Access should be strictly controlled and monitored.
    • Must be encrypted at all times, both in transit and at rest.
    • Sharing is prohibited unless explicitly authorised by senior management or required by law.

You can review our DPIA here.

Data Owners:

Data Owners within TeamKinetic are responsible for  ensuring compliance with established handling requirements.

Responsibilities of Data Owners Data Owners are responsible for the following:

  • Data Classification: Accurately classify data according to its sensitivity level (e.g., public, internal, confidential, restricted) to ensure appropriate handling and protection measures are applied.
  • Compliance Assurance: Ensure that all data handling practices comply with relevant policies, regulations, and legal requirements, including data protection laws.
  • Access Control: Define and manage access rights to data, ensuring that only authorised personnel have access to sensitive information based on the principle of least privilege.
  • Training and Awareness: Provide staff with training and guidance on data handling procedures and the importance of data protection.
  • Monitoring and Review: Regularly review data classification and handling practices to ensure ongoing compliance and effectiveness of security measures.

IT Department

Responsible for implementing technical controls to protect data based on its classification.

All Staff

Required to complete training on data classification and handling procedures.

Data Encryption: 

TeamKinetic employs a robust encryption policy to protect sensitive data both in transit and at rest. The key elements of the policy include:

  1. Encryption Standards: All data is secured using 256-bit encryption. Data in transit is protected through TLS 1.2 or AES encryption, ensuring that information is safeguarded against interception during transmission.
  2. Password Security: Passwords are managed according to industry standards, with enforced complexity rules. Additionally, two-factor authentication (2FA) is implemented for high-level administrators to enhance security.
  3. Regular Audits: Encryption and hashing algorithms are audited annually to ensure that no weak algorithms are in use, maintaining the integrity of the encryption methods employed.
  4. Data Backup: Backups of sensitive data are encrypted using AES256, and transaction logs are backed up every 15 minutes, with full database backups conducted daily.
  5. Compliance and Best Practices: TeamKinetic adheres to industry best practices and complies with relevant regulations, including GDPR. The organisation is committed to ongoing investment in security measures to protect client data.

This encryption policy is part of TeamKinetic's broader commitment to information security and data protection, ensuring that sensitive information is adequately safeguarded against potential threats.

More details, here

Data Retention & Disposal: 

TeamKinetic's Data Retention and Disposal Policy outlines the procedures for managing data throughout its lifecycle, ensuring compliance with legal and regulatory requirements. Key components of the policy include:

  1. Data Retention Periods:
    • Data is retained for a specified period based on its type and relevance, ensuring compliance with UK GDPR and the Data Protection Act 2018.
    • Custom data retention periods can be set within the application, allowing for flexibility in managing different data types.
  2. User Notification:
    • Users are notified of data retention periods and their rights regarding data access and deletion. This includes the ability for users to self-remove their data when appropriate.
  3. Data Disposal Procedures:
    • Data that is no longer required is disposed of securely, following best practices to prevent unauthorised access or recovery.
    • Disposal methods comply with ICO guidance, ensuring that all data is irretrievably deleted.
  4. Compliance and Auditing:
    • The policy includes regular audits to ensure compliance with retention schedules and disposal procedures.
    • TeamKinetic maintains a risk register to assess adherence to governance standards and to manage data effectively.
  5. Training and Awareness:
    • Ongoing training is provided to staff regarding data retention and disposal practices, ensuring that all employees understand their responsibilities in managing data.

You can read the full policy here

Data Backup & Recovery: 

TeamKinetic's Data Backup and Recovery Policy is designed to ensure the integrity and availability of data through systematic backup procedures and recovery strategies. Key components of the policy include:

  1. Backup Frequency:
    • Database transaction logs are backed up every 15 minutes.
    • Full database backups are conducted daily and encrypted using AES256.
    • Offsite backups are created weekly.
  2. Data Recovery:
    • In the event of data loss due to errors or misconfigurations, the database can be rolled back to the appropriate transactional data point for recovery.
    • In case of total failure or server crashes, a new instance can be provisioned with a maximum data loss of 24 hours.
  3. Application Code and Content:
    • Application code and user data are fully backed up daily to offsite storage.
    • Centralised versioning software is used to maintain a complete backup of application code and changes.
  4. Testing and Compliance:
    • Backup and recovery strategies are tested monthly for effectiveness, reliability, and integrity.
    • The policy aligns with industry standards and regulatory requirements, ensuring that data protection measures are robust and effective.
  5. Security Measures:
    • All backups are encrypted to protect against data theft and unauthorised access.

3. Access Control

TeamKinetic employs a role-based access control system that adheres to the principle of least privilege. Access to information and systems is restricted based on user roles, ensuring that individuals only have access to the data necessary for their responsibilities. Regular access reviews and audits are conducted to maintain security and compliance.

  • Authentication:  Strong authentication methods are mandated, including multi-factor authentication (MFA) and Single Sign-On (SSO) for accessing systems and data. All users must authenticate using a combination of username and password, with additional layers of security for high-level administrators.
  • Authorisation:.The authorization framework defines specific roles and permissions within the TeamKinetic system. Each role is assigned distinct access rights, ensuring that users can only access information pertinent to their job functions. This structure is regularly reviewed to adapt to any changes in user roles or responsibilities.
  • Password Management: TeamKinetic enforces a strong password policy requiring a minimum length of 12 characters, complexity, and regular password changes every 12 months. Users are educated on best practices for password management, including the use of unique passwords for different accounts.
  • Access Revocation: Procedures are in place to promptly terminate or modify user access upon employee departure or role change. This includes disabling accounts and recovering any company property to prevent unauthorised access to sensitive information.

For more information, please see here and here.

4. Network Security

TeamKinetic implements a comprehensive network security strategy that includes network segmentation, firewall management, intrusion detection/prevention systems (IDS/IPS), and regular vulnerability scanning. This multi-layered approach ensures the protection of sensitive data and systems from unauthorised access and cyber threats.

  • Network Segmentation: Sensitive systems and data are isolated from less critical parts of the network through effective network segmentation. This practice limits access to sensitive information and reduces the risk of lateral movement by potential attackers within the network.
  • Firewall Management: TeamKinetic employs both hardware and software firewalls to control the flow of network traffic. These firewalls are configured to prevent unauthorised access and to mitigate potential threats, including Distributed Denial-of-Service (DDoS) attacks. Regular updates and maintenance of firewall rules are conducted to adapt to evolving security threats.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Tools are deployed to monitor network traffic for malicious activity. The IDS/IPS systems are designed to detect and prevent attacks in real-time, ensuring that any suspicious activity is promptly addressed.
  • Vulnerability Scanning: egular vulnerability scans and penetration testing are conducted to identify and address security weaknesses within the network and systems. This proactive approach helps to ensure that any vulnerabilities are remediated before they can be exploited by malicious actors.

5. Application Security

TeamKinetic is committed to ensuring the security of its applications through a robust framework that includes secure coding practices, application security testing, and third-party software security management.

  • Secure Coding Practices: TeamKinetic enforces secure coding standards across all development teams. This includes conducting regular code reviews to identify and mitigate vulnerabilities early in the development process. The organisation adheres to the OWASP Secure Coding Practices to ensure that applications are developed with security in mind.
  • Application Security Testing: Security testing is integrated throughout the software development lifecycle at TeamKinetic. This includes both static and dynamic analysis to identify potential security flaws. Regular penetration testing is conducted before major releases to ensure that any vulnerabilities are addressed prior to deployment.
  • Third-Party Software Security: TeamKinetic assesses and manages the security of third-party libraries and components used within its applications. This includes evaluating the security posture of third-party software and ensuring that any vulnerabilities are promptly addressed through updates and patches.

For more information, please see here.

6. Physical Security

TeamKinetic is committed to maintaining robust physical security measures to protect its data and assets. This includes comprehensive protocols for data centre security and device security.

  • Data Center Security: TeamKinetic defines stringent physical security measures for its data centres. These measures include access controls, such as biometric access policies, internal and external CCTV systems surveillance, and environmental controls to safeguard against physical threats. The data centres are monitored 24/7 by manned security and are regularly audited to ensure compliance with security standards.
  • Device Security: All company-issued devices, including laptops and mobile phones, are secured with encryption, access controls, and mobile device management (MDM) solutions. This ensures that sensitive information remains protected, even if devices are lost or stolen. Regular audits and updates are conducted to maintain the integrity of device security.

More information, here

7. Compliance & Legal

TeamKinetic is committed to adhering to relevant data privacy regulations, establishing robust incident response protocols, and maintaining comprehensive auditing and logging practices to ensure compliance and protect sensitive information.

  • Data Privacy: TeamKinetic complies with data privacy regulations such as GDPR and CCPA, ensuring that personal data is processed lawfully, fairly, and transparently. The policy outlines data subject rights, including access, rectification, and erasure of personal data. TeamKinetic employs a 'privacy by design' approach, ensuring that only necessary personal data is processed and shared.

More detaila, here 

  • Incident Response: An incident response plan is established to effectively handle security breaches. This includes procedures for reporting incidents, conducting investigations, and implementing recovery measures. TeamKinetic commits to notifying affected parties within 24 hours of a data breach and cooperating fully with investigations in accordance with the Information Commissioner's Office guidelines.

More details, here and here

Auditing & Logging: TeamKinetic maintains detailed audit logs of security-related events and conducts regular security audits to ensure compliance with legal and regulatory requirements. These logs are protected and accessible only to authorised personnel, facilitating effective monitoring and review of security practices.

More details, here

8. Employee Security Awareness

TeamKinetic is committed to fostering a culture of security awareness among its employees through comprehensive training and clear guidelines on acceptable use of company resources.

  • Security Training: TeamKinetic conducts regular security awareness training for all employees, covering critical topics such as phishing, social engineering, and password security. This training is designed to equip employees with the knowledge and skills necessary to identify and respond to potential security threats effectively. New employees receive this training as part of their onboarding process.

More detail here and here

  • Acceptable Use Policy: The acceptable use policy defines the appropriate use of company systems and resources, including guidelines for internet and email usage. Employees are expected to use these resources responsibly and in a manner that does not compromise the security of the organisation or its data. Violations of this policy may result in disciplinary action.

More details, here

9. Vendor Management

TeamKinetic is committed to ensuring the security and compliance of its vendor relationships through rigorous security assessments and contractual obligations.

  • Security Assessments: TeamKinetic conducts comprehensive security assessments of third-party vendors who have access to company data or systems. This process evaluates the security measures in place to protect sensitive information and ensures that vendors meet the necessary security standards before any data exchange occurs.
  • Contractual Obligations: TeamKinetic includes specific security requirements in contracts with vendors. These contractual obligations ensure that vendors adhere to the same security standards as TeamKinetic, thereby protecting company data and maintaining compliance with applicable regulations.

Important Considerations:

TeamKinetic recognises the necessity of maintaining a dynamic security policy that adapts to evolving threats and regulatory requirements. This policy encompasses regular updates, enforcement of consequences for violations, and effective communication of responsibilities to all employees.

  • Regular Updates: The security policy is treated as a living document, which is reviewed and updated at least annually. This ensures that it reflects changes in technology, emerging threats, and evolving regulations, thereby maintaining its relevance and effectiveness.
  • Enforcement: TeamKinetic clearly defines the consequences for policy violations. This includes disciplinary actions that may be taken against employees who fail to adhere to the established security protocols, thereby reinforcing the importance of compliance.
  • Communication: The security policy is communicated to all employees to ensure they understand their responsibilities regarding information security. Regular training sessions and updates are provided to reinforce the importance of the policy and to keep employees informed of any changes.

Suite 5, Parkway Five,
Manchester.
M14 7HR
UK

Never miss out, subscribe to our newsletter and podcast

© TeamKinetic, 2024. All rights reserved.

0161 914 5757

Please tell us a little about you and your organisation, then pick a time and date for us to get in touch.