Skip to main content

Introduction

Information Security Policy

Our Information Security Policy serves as the foundation for our security efforts. It outlines our commitment to protecting sensitive information, the roles and responsibilities of employees, and the consequences of security breaches. All employees are required to read and understand this policy.

Access Control

Access to BOS is tightly controlled. This section outlines the procedures for granting, modifying, and revoking user access, as well as the use of strong authentication methods, password policies, and role-based access control. Access control is a critical component of our overall security strategy. It ensures that:

  • Only authorized individuals have access to sensitive systems, data, and resources.
  • Unauthorized access attempts are detected and prevented.
  • Access privileges are granted based on job roles and responsibilities.

Monitoring and Auditing

Access and login activities are monitored and logged. Regular audits of access logs are conducted to detect and investigate any suspicious activities.

Incident Response

In case of a security incident or unauthorized access, the incident response plan outlined in the Provide File Path will be followed.

Data Protection

Data is one of our most valuable assets. This section covers data encryption, data classification, data retention policies, and data backup procedures. It also explains how sensitive data should be handled, stored, and transmitted securely. Data protection is a top priority for BOS. It encompasses all measures taken to protect data from unauthorized access, disclosure, alteration, and destruction. This policy defines our approach to data protection and sets guidelines for the handling of data.

Data Categories

We classify data into the following categories:

  • Confidential: Highly sensitive data that must be protected at all costs.
  • Sensitive: Data that, if compromised, could have significant consequences for the organization.
  • Public: Non-sensitive data that can be shared publicly.

Data Ownership

Each data category has designated data owners responsible for its protection and management.

Data Handling and Storage

  • All data must be handled and stored in a manner consistent with its classification.
  • Physical documents containing sensitive data must be kept in locked cabinets or secure storage areas.
  • Digital data must be stored on secure servers and encrypted if necessary.

Data Access

  • Access to data is granted based on job roles and responsibilities through role-based access control (RBAC) or similar mechanisms.
  • Access rights are reviewed regularly to ensure alignment with job functions.

Data Encryption

  • Data in transit is encrypted using industry-standard encryption protocols.
  • Sensitive data at rest is encrypted using approved encryption methods.

Data Retention

  • Data retention policies are established based on legal, regulatory, and operational requirements.
  • Data is retained only as long as necessary for its intended purpose.

Data Backup and Recovery

  • Regular data backups are performed to ensure data availability and recovery in case of data loss.
  • Backup procedures are documented separately in the [Get content]

Physical Security

Physical security measures are essential to protect our assets. This section discusses physical access controls, and security measures for our data centers and offices.

Access Control Systems

  • Access to our facilities is controlled through electronic access control systems, including card readers, biometric systems, and PIN codes.
  • Access rights are assigned based on job roles and responsibilities.

Access Monitoring

  • Access logs are maintained and regularly reviewed to identify unauthorized access.
  • Access records are retained for a specified period.

Third-Party Security

When working with third-party vendors or partners, security considerations are paramount. This section explains our due diligence process, contractual requirements, and ongoing monitoring of third-party security.

Third-Party Risk Assessment

Vendor Selection

  • All third-party vendors and partners must undergo a thorough security assessment before engagement.
  • Security and privacy assessments are conducted to evaluate the vendor's compliance with our security standards.

Risk Assessment

  • A risk assessment is conducted to evaluate the potential security risks associated with a third-party engagement.
  • Risks are categorized, assessed, and mitigated as necessary.

Contractual Requirements

Security Requirements

  • All contracts with third-party vendors include specific security requirements, including data protection, access controls, and incident reporting obligations.
  • Security Service Level Agreements (SLAs) are established to ensure compliance.

Data Protection

  • Third parties are contractually bound to protect our data and comply with applicable data protection regulations.
  • Data sharing and handling requirements are clearly defined in contracts.

Third-Party Audits and Assessments

  • Regular audits and assessments are conducted to evaluate third-party security controls and compliance with contractual obligations.
  • Audits may include on-site visits, document reviews, and vulnerability assessments.

Reporting Security Incidents

Employees and stakeholders play a crucial role in our security efforts. This section provides instructions on how to report security incidents, including whom to contact and the information to include in incident reports.