Reddico 'R' Symbol

Security

1.Introduction

The security and integrity of our IT Systems is a priority for Reddico Digital.  All employees and any authorised third parties, including without limitation, sub-contractors, consultants and contractors (together “users”) are expected to comply with this policy, updated from time to time.

2.Intended purpose

The purpose of this policy is to establish a framework for managing risks and protecting Reddico's IT infrastructure, computing environment, hardware, software and any and all other relevant equipment (“IT Systems”) against all types of threats, internal or external, intentional or unintentional.

3.Stakeholder Responsibilities

Reddico Digital's IT Department shall be responsible for carrying out the installation, ongoing maintenance (including without limitation, any upgrades or repairs) and ensuring the security and integrity of the IT Systems, either directly or, via an authorised third party.  Accordingly, the IT Department is responsible for data stored on the IT Systems, unless otherwise stated.

In furtherance of the section above, the IT Department shall be responsible for:

  • Investigating any security breaches and / or misconduct, and shall escalate to Luke Kyte or Kirk Fletcher as appropriate.

  • Regularly reviewing IT security standards and ensuring the effective implementation of such standards, by way of periodic audits and risk assessments.

  • Ensuring organisational management and dedicated staff responsible for the development, implementation and maintenance of this policy.

  • Providing assistance as necessary to users to help them in their understanding and compliance with this policy, as well as keeping all Users aware and up to date with all applicable laws including, without limitation, the GDPR and the Computer Misuse Act 1990.

  • Providing adequate training and support in relation to IT security matters and use of the IT Systems, to all Users

  • Ensuring that the access to IT Systems granted to all users takes into account their job role, responsibilities and any additional security requirements, so that only necessary access is granted for each user.

  • Dealing with all reports, whether from users or otherwise, relating to IT security matters and carrying out a suitable response for the situation.

  • Implementing appropriate password controls.

  • Maintaining a complete list of all hardware items within the IT Systems. All such hardware shall be labelled and the corresponding data shall be kept by the IT and finance department.

  • Ensuring compliance with all IT security standards set out in ISO 27001.

The users shall be responsible for:

  • Informing the IT Department immediately of any actual or potential security breaches or concerns relating to the IT Systems.

  • Informing the IT Department immediately in respect of any technical or functional errors experienced relating to the IT Systems.

  • Complying with this policy and all laws applicable to the users relating to their use of the IT Systems.

Users must not attempt to resolve an IT security breach on their own without consulting the IT Department first.

4.Access to IT Systems

There shall be logical access controls designed to manage electronic access to data and IT System functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

  • All IT Systems shall only be accessible by a secure log-in system as deemed suitable by the IT Department.

  • The IT Department shall conduct regular system audits or event logging and related monitoring procedures to proactively record user access and activity on the IT Systems for routine review.

5.Passwords

The IT Department shall implement password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the company passwords that are assigned to users:

  • Be at least 12 characters in length.

  • Not be stored in readable format on Reddico's IT Systems.

  • Must be changed every six months.

  • Must have defined complexity.

  • Must have a history threshold to prevent reuse of recent passwords.

  • Must be kept confidential.

Two-factor authentication is also mandatory across all of Reddico's Google users.

6.Hardware

All mobile devices (including, without limitation, laptops, tablets and mobile telephones) should be kept securely by users using secure cases where appropriate. Users should not leave such mobile devices unattended other than at their homes or business premises.

  • All non-mobile devices (including, without limitation, desktop computers, workstations and monitors) shall, wherever possible and practical, be secured in place with a suitable locking mechanism.

  • Users are not permitted to connect any of their personal hardware to the IT Systems without the express approval of the IT Department.

7.Software

All software installation on to the IT Systems shall be the responsibility of the IT Department.  Users are not permitted to install any software on to the IT Systems unless expressly approved in writing by the IT Department.

All software installed on to the IT Systems shall be kept sufficiently up to date in order to ensure that the security and integrity of the IT Systems is not compromised.

8.Vulnerability Assessment and Anti-Virus

The IT Department shall carry out regular vulnerability assessments, and utilise patch management, threat protection technologies and scheduled monitoring to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

9.Data Protection

The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016(“GDPR”)) by Reddico will be carried out in compliance with (i) the GDPR and (ii) Reddico's own Data Protection Policy.

Reddico Digital is registered with the International Commissioner’s Office as both a data controller and data processor. Full information on data protection can be found in our handbook.

The following constitutes guidelines for all employees when it comes to data protection:

  • Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely.  The email itself should be deleted.  All temporary files associated therewith should also be deleted.

  • If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.

  • No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of Reddico where the party in question has agreed to comply fully with this policy. All contracts include GDPR and data protection clauses.

  • Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.  Hardcopies should be shredded, and electronic copies should be deleted securely.

  • The IT Department shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data.

  • All personal data stored electronically should be backed up every 90 days with backups stored on Google Cloud. All backups should be encrypted.

  • All electronic copies of personal data should be stored securely using passwords and data encryption.

  • Only users that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by Reddico.

  • All users that have access to, and handle personal data on Reddico's behalf, shall adhere to Reddico's Data Protection Policy.

10. Business Continuity

Reddico has in place adequate business resiliency/continuity and disaster recovery procedures designed to maintain any information and the supply of any service and/or recovery from foreseeable emergency situations or disasters.

This is covered in Reddico’s ISO 27001 and 9001 compliance. 

11. Training

All employees at Reddico Digital are instructed on the importance of data protection. This training forms part of all new team member’s onboarding to the company. 

12. ISO 27001 

Reddico Digital is officially certified with the ISO 27001 accreditation, demonstrating the company’s compliance and commitment to the highest standards of data security and protection. 

For more information on this standard, or to learn more about Reddico’s range of compliance measures, please contact Luke Kyte.