Information Security and Privacy Policy

1.Purpose  
The purpose of this Policy is to safeguard information belonging client within a secure environment.  

This following is a guideline for how Dasro Consulting Inc. (Dasro) will store and safeguard client’s information.  It is the goal of DASRO that: 

It is the goal of DASRO that: 

Information relates to: 

• Electronic information systems (software, computers, and peripherals) owned by the client whether deployed or accessed onsite or remotely. 
• The client’s computer network, used either directly or indirectly. 
• Hardware, software and data owned by the client. 
• Paper-based materials. 
• Electronic recording devices (video, audio, CCTV systems). 

2.The Policy  
DASRO is required to exercise a duty of care in relation to the operation and use of its information systems, especially as it pertains to its customers/clients. 

2.1 Authorized users of information systems

Apart from information publicly available, all employees with access to DASRO information systems must be formally authorized after thorough vetting. Only DASRO personnel with a need-to-know will have access to the client’s data.  

All user accounts created for the sole purpose of accessing the client’s data will be on a need-to-know basis only.  Authorized users will be in possession of a unique user identity. Any password associated with a user identity will not be disclosed to any other person. The “Network password policy” describes these principles in greater detail.   

Authorized users will pay due care and attention to protect client information while in possession of DASRO. Confidential, personal or private information must not be copied or transported without consideration of:

• permission of the information owner (i.e. [client name]). 
  
• the risks associated with loss or falling into the wrong hands. 
• how the information will be secured during transport and at its destination. 

2.2 Acceptable use of information systems  

Use of the client’s information and/or information systems by authorized users will be lawful, honest, and decent and shall have regard to the rights and sensitivities of the client. 

2.3 Information System Owners 

DASRO personnel who have access to customer/client information systems are required to ensure that: 

1. Systems are adequately protected from unauthorized access. 
2. Systems are secured against theft and damage to a level that is cost effective. 
3. Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity). 
4. Electronic data can be recovered in the event of loss of the primary source. i.e. failure or loss of a computer system.DASRO will take the proper measures to backup [Customer name] data and to be able to restore data to a level commensurate with its importance (Disaster Recovery). 
5. Data is maintained with a high degree of accuracy. 
6. Systems are used and data is accessed for their intended purpose and that procedures are in place to rectify discovered or notified misuse.
   
7. Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts. 
   
8. Any third parties entrusted with [client name] data understand their responsibilities with respect to maintaining its security. 
   

2.4 Personal Information 

Authorized users of [client name] information systems and/or data are not given rights of privacy in relation to their use of the client’s information systems. Duly authorized personnel of DASRO may only access or monitor [client name] data as it pertains to support of said customer/client. 

2.5 DASRO personnel in breach of this policy will be subject to disciplinary procedures at the instigation of DASRO management with responsibility for the relevant information system, including referral to law enforcement offices where appropriate.  DASRO will take legal action to ensure that its information systems are not used by unauthorized persons. 

3.Ownership 

3.1 DASRO has direct responsibility for maintaining this policy and providing guidance and advice on its implementation.   Information system owners are responsible for the implementation of this policy within their area, and to ensure adherence.