Information Security Policy

Document Version & Control

  • Version: 1.0
  • Last Review Date: 6 Jan 2025
  • Next Review Date: [12 months from last review or upon significant changes]
  • Approver: DPO, CTO

Purpose & Scope
This Information Security Policy establishes a framework to protect the confidentiality, integrity, and availability of our information assets. It applies to all employees, contractors, and third-party service providers who have access to our systems, data, or networks, hosted primarily on AWS and Digital Ocean. The policy covers internal systems, external integrations, and data flows.

Compliance & References

  • Standards & Frameworks: ISO 27001, SOC 2, NIST SP 800-53
  • Regulatory Considerations: PDPA (Singapore), GDPR (if applicable for EU data), and other applicable data protection/privacy laws relevant to our operations. Our primary regulatory concern is Singapore PDPA.
  • Related Policies:
    • Data Management & Database Policies
    • Encryption & Key Management Policy
    • Authentication & Access Control Policy
    • Incident Response & Breach Notification Policy
    • Logging, Monitoring & Audit Policies
    • 3rd Party Integration & Vendor Management Policy

Roles & Responsibilities

  • DPO: Maintains and enforces the Information Security Policy; oversees security strategy, compliance, and risk management.
  • CTO: Ensures technical implementations of security controls align with company standards and best practices.
  • Head of Engineering / DevOps Team: Implements, monitors, and maintains technical security measures within infrastructure and applications.
  • Employees & Contractors: Must adhere to this policy, participate in security training, and report security incidents.
  • Legal & Compliance Officer: Advises on regulatory requirements and ensures documentation aligns with legal obligations.
  • Internal Audit / Compliance Team: Conducts periodic reviews to ensure compliance with security policies.

Key Principles

  1. Confidentiality:
    Safeguard sensitive information from unauthorized disclosure. Implement least privilege and role-based access to limit data exposure.

  2. Integrity:
    Maintain accurate and unaltered data. Employ controls to detect and prevent unauthorized modification, corruption, or tampering.

  3. Availability:
    Ensure that systems, data, and services are accessible to authorized users when needed, meeting our operational and SLA commitments.

  4. Accountability & Non-Repudiation:
    All security-related actions must be attributable to specific individuals or processes. Maintain audit trails and logs to support investigations and compliance.

  5. Continuous Improvement:
    Regularly review and update security policies, controls, and procedures to address new threats, technological changes, and regulatory shifts.

Security Governance & Risk Management

  • Risk Assessments:
    Conduct regular security risk assessments to identify vulnerabilities and threats. Remediate findings based on risk priority.

  • Policy Review:
    Review this Information Security Policy at least annually, or after significant security events or regulatory changes.

  • Training & Awareness:
    Provide in-house security awareness training to all employees and contractors at least annually. Training covers recognizing threats (e.g., phishing) and proper incident reporting.

  • Third-Party Management:
    Vet vendors, contractors, and partners for their security posture. Incorporate data protection requirements in contracts and follow the 3rd Party Integration & Vendor Management Policy for onboarding, monitoring, and offboarding third parties.

Data Ownership & Classification

In addition to the broader data classification model (Public, Internal, Confidential, Restricted), the following clarifies the types of data handled by our platform:

  1. Client-Owned Data:
    • User-Contributed Content: Data provided or uploaded by the client or its users, such as applicant CVs, data from their Applicant Tracking System (ATS), and email content.
    • Ownership: The client retains ownership and control over this data. Our platform acts as a data processor or service provider, handling the data solely on behalf of the client.
    • Protection: We employ the security controls outlined in this policy to protect client-contributed data from unauthorized access, alteration, or disclosure.
  2. Platform-Owned Data:
    • Company Internal Data: Internal operational data (e.g., configuration files, application code, metrics) generated or owned by our organization.
    • Rights & Responsibilities: Our company is responsible for safeguarding this data and ensuring it does not mix with client data except where contractually or operationally required.
  3. Enriched or Publicly Sourced Data:
    • Shared Public Data: Certain datasets (e.g., labor market statistics, public job listings) or data enriched through publicly available sources that may be made accessible across all client organizations as part of our service.
    • Public Data Enrichment: Any enrichment process uses only publicly available information or data the client explicitly consents to share.
    • Ownership & Access: While the platform may aggregate or enrich this data, it remains publicly sourced or platform-generated. Sharing of enriched data across multiple clients is limited to non-sensitive, anonymized, or aggregated information that does not violate client confidentiality or data protection obligations.
  4. Data Protection & Compliance:
    • We ensure all data handling aligns with PDPA (Singapore), GDPR (if applicable), and other relevant data protection laws.
    • For data that spans multiple classifications (client-owned, platform-owned, and public), we implement logical segregation to prevent unauthorized cross-access or unintended disclosures.

Access Control & Authentication

  • Identity Management:
    Assign unique user IDs. Prohibit shared or generic accounts unless explicitly approved by the DPO under exceptional circumstances.

  • Authentication:
    Enforce Multi-Factor Authentication (MFA) for all critical system access. MFA tokens and credentials must be managed securely.

  • Role-Based Access Control (RBAC):
    Grant access rights strictly on a need-to-know basis. Conduct periodic access reviews to ensure appropriateness of privileges.

  • Privileged Accounts:
    Strictly control and monitor all privileged (e.g., administrative) accounts. Maintain audit trails of privileged user actions.

Data Protection

  • Data Classification:
    Classify data as Public, Internal, Confidential, or Restricted. Apply controls proportional to data sensitivity and based on the ownership classification above (client-owned vs. platform-owned vs. public data).

  • Encryption:
    Encrypt data at rest and in transit according to standards defined in the Encryption & Key Management Policy.

  • Data Retention & Destruction:
    Retain data for 30 days as outlined in the Data Management & Database Policies. Destroy data securely, including backups, within 60 days upon request or end-of-retention.

  • Data Loss Prevention (DLP):
    Employ measures to detect and prevent unauthorized data exfiltration. Monitor data transfers and investigate anomalies.

Infrastructure & Network Security

  • Network Segmentation & Firewalls:
    Segment networks to isolate sensitive systems. Maintain firewall rules and review them regularly for appropriateness and effectiveness.

  • Hardening & Configuration Management:
    Adhere to secure baseline configurations for servers, network devices, and applications. Patch and update systems promptly.

  • Vulnerability Management:
    Perform quarterly scanning with SonarQube and monthly scans using AWS-native scanners. Remediate identified vulnerabilities in a timely manner.

  • Cloud Security Controls:
    Leverage AWS IAM roles for granular access control. Use IAM external access monitoring tools to identify and revoke unused credentials or access keys. Follow best practices for AWS and Digital Ocean environments.

Logging, Monitoring, and Incident Management

  • Logging & Audit Trails:
    Collect and retain logs of security events, access, and system changes as defined in the Logging & Audit Trail Policy.

  • Security Monitoring:
    Continuously monitor system health, performance, and security events. Investigate alerts and anomalies, escalating as necessary.

  • Incident Response:
    Follow the Incident Response & Breach Notification Policy for handling security incidents. Notify clients and regulatory authorities of breaches within 7 days, or as required by law.

  • Reporting & Metrics:
    Although no formal KPIs are currently required, the DPO or security team may provide periodic reports to leadership on critical vulnerabilities, incident response activities, and general security posture.

Business Continuity & Disaster Recovery

  • BCP & DR:
    Refer to the Business Continuity Plan and Disaster Recovery Policy to ensure services remain available and recoverable during disruptions.

  • Backup Management:
    Conduct regular backups, encrypt them, and test restore procedures to ensure data availability during incidents.

  • Testing & Exercises:
    Perform periodic exercises (e.g., tabletop, DR drills) to validate the effectiveness of continuity and recovery plans.

Compliance & Audit

  • Regulatory Compliance:
    Comply with PDPA (Singapore) and GDPR if handling EU data. Consult Legal & Compliance for updates to relevant privacy laws.

  • Internal & External Audits:
    Support internal and external audits. Address audit findings promptly to maintain continuous compliance.

  • Policy Exceptions:
    Document and approve any exceptions to this policy through a formal risk acceptance process overseen by the DPO and CTO.

Enforcement & Violations

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contracts. Severe breaches may lead to legal action and external reporting, as required by law.

Document Review & Maintenance

Review this Information Security Policy annually or after significant changes to technology, regulations, or the threat landscape. Document and communicate all revisions to relevant stakeholders.

Copyright © 2024. All Rights Reserved by TechKnowledgey Pte Ltd. Scout is an AI-powered, all-in-one talent sourcing tool built for recruiters, by recruiters.