> TextAnywhere Information Security Policy
TextAnywhere Information Security Policy
This information security policy is a key component of TextAnywhere’s overall information
security management. It incorporates TextAnywhere’s handling of personal data,
protection of that data, security of our systems, and staff procedures.
TextAnywhere is committed to safeguarding your personal information. Whenever you
provide such information, we are legally obliged to use the information in line with all laws
concerning the protection of personal information, including, but not limited to, the Data
Protection Act 1998.
2. Objectives, Aim and Scope
The objectives of TextAnywhere’s Information Security Policy are to preserve:
- » Confidentiality – Access to data shall be confined to those with appropriate authority.
- » Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
- » Availability – Information shall be available and delivered to the right person, at the time when it is needed.
2.2. Policy Aim
The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications, and networks owned or held by TextAnywhere by:
- » Ensuring that all members of staff are aware of, and fully comply with, the relevant legislation as described in this policy.
- » Describing the principals of security and explaining how they shall be implemented in the organisation.
- » Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
- » Protecting information assets under the control of the organisation.
This policy applies to all information, information systems, networks, applications, locations, and employees of TextAnywhere, or supplied under contract to it.
3. Responsibilities for Information Security
Ultimate responsibility for information security rests with the Directors of TextAnywhere, and, as TextAnywhere is a relatively small organisation, on a day-to-day basis the Directors shall be responsible for managing and implementing the policy and related procedures.
All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity.
Each member of staff shall be responsible for the operational security of the information systems they use.
TextAnywhere is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of TextAnywhere, who may be held personally accountable for any breaches of information security for which they may be held responsible.
TextAnywhere shall comply with the following legislation and other legislation as appropriate:
- » Data Protection Act (1998)
- » Data Protection (Processing of Sensitive Personal Data) Order 2000
- » Copyright, Designs and Patents Act (1988)
- » Computer Misuse Act (1990)
- » Health and Safety at Work Act (1974)
- » Human Rights Act (1998)
- » Regulation of Investigatory Powers Act 2000
- » Freedom of Information Act 2000
5. Policy Framework
5.1. Access controls
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
5.2. Equipment security
In order to minimise loss of, or damage to, all assets and equipment shall be physically protected from threats and environmental hazards.
5.3. Information security events and weaknesses
All information security events and suspected weaknesses are to be noted. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
5.4. Protection from malicious software
The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to cooperate fully with this policy.
5.5. Monitoring system access and use
An audit trail of system access and data use by staff shall be maintained.
5.6. Business continuity and disaster recovery plans
The organisation shall ensure that business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
6. PCI DSS Compliance
At TextAnywhere Ltd., all online purchases take place safely, using the latest and best internet security and encryption technology to protect our clients. We are fully PCI DSS compliant and as such do not store any sensitive information about your purchases or payment details on our network infrastructure.
We partner with DataCash, a payment gateway owned by MasterCard, to perform the secure transactions on our behalf.
What is PCI DSS compliance?
Payment Card Industry Data Security Standards (PCI DSS) are network security and business practice guidelines adopted by credit card companies such as Visa, MasterCard, and American Express to establish a “minimum security standard” to protect customers’ payment card information.
It is a requirement for all merchants that store, transmit, or process payment card information to be PCI DSS compliant.
About the PCI Data Security Standard (PCI DSS)
The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:
» Build and Maintain a Secure Network
- » Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- » Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
» Protect Cardholder Data
- » Requirement 3: Protect stored cardholder data.
- » Requirement 4: Encrypt transmission of cardholder data across open, public networks.
» Maintain a Vulnerability Management Program
- » Requirement 5: Use and regularly update anti-virus software.
- » Requirement 6: Develop and maintain secure systems and applications.
» Implement Strong Access Control Measures
- » Requirement 7: Restrict access to cardholder data by business need-to-know.
- » Requirement 8: Assign a unique ID to each person with computer access.
- » Requirement 9: Restrict physical access to cardholder data.
» Regularly Monitor and Test Networks
- » Requirement 10: Track and monitor all access to network resources and cardholder data.
- » Requirement 11: Regularly test security systems and processes.
» Maintain an Information Security Policy
- » Requirement 12: Maintain a policy that addresses information security.
TextAnywhere is fully compliant with all twelve requirements listed above.
TextAnywhere will only collect information necessary to provide the TextAnywhere service. This includes name and contact information for clients and partners, as well as appropriate financial information from clients.
TextAnywhere will not pass any personal information to any third party at any time without your prior permission.
TextAnywhere may contact you for the following reasons:
- » In relation to the functioning of any service you have signed-up for in order to ensure that TextAnywhere can deliver the services to you
- » Where you have opted to receive further correspondence
- » In relation to any content you have uploaded to your account
- » For marketing purposes where you have specifically agreed to this
We will keep your information confidential except where disclosure is required by law (for example to government bodies and law enforcement agencies).
We will hold your personal information on our systems for as long as is necessary for the service you have signed-up for. After this period, we will continue to hold data for as long as it is required for tax and recording purposes. After the cancellation of any account, we will not use the data for any business or marketing purpose other than for tax and recording purposes.
Our Information Security Policy has the full support of the Chairman and the Board of Directors.
To ensure that this policy is properly implemented, TextAnywhere regularly reviews its information security progress at board level.