Cyber Security Policy

This Policy is effective as of 27/05/19.

This Policy is due for review on 27/05/20.

1.              Introduction

We are Kai Ai Ltd and this is our Cyber Security Policy. This policy applies to all Employees.

This Policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure.

The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our organisation’s reputation.

For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this Policy.

This Policy applies to all our Employees, contractors and anyone who has permanent or temporary access to our systems and hardware.

Although this policy provides overall guidance, to achieve consistent information protection, Employees are expected to apply and extend these concepts to fit the needs of day-to-day operations.

2.              Definitions and key terms

 

Employees

All of our employees, staff and volunteers.

 

Form

A Form includes any of the following that exist on the Services:

  • surveys,
  • contact forms,
  • newsletter subscriptions forms,
  • user registrations forms,
  • e-commerce forms,
  • other registration forms; and
  • text boxes.

IT Specialists

Our management team act as our IT Specialists.

Policy

This Cyber Security Policy.

We, us and our

Kai Ai Ltd

3.              Who we are

The Services are operated by Kai Ai Ltd, a UK Limited company registered in England.

Some important details about us:

Our business address is: 10 Waltham Gardens, Banbury, Oxfordshire OX16 4FD

Our registered address is: 10 Waltham Gardens, Banbury, Oxfordshire OX16 4FD

Our company number is: 11648282

4.              Data classification and access control

Sensitive information is either Confidential or Restricted information, and both are defined later in this Policy.

Although this policy provides overall guidance, to achieve consistent information protection, Employees are expected to apply and extend these concepts to fit the needs of day-to-day operations.

Major risks

The data classification system, as defined in this document, is based on the concept of need to know. This term means that information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. This concept, when combined with the policies defined in this document, will protect our information from unauthorized disclosure, use, modification, and deletion.

Applicable information

This Policy is applicable to all electronic information for which we are the custodian.

Access Control

Need to Know

Each of the Policy requirements set forth in this document are based on the concept of need to know. If an Employee is unclear how the requirements set forth in this Policy should be applied to any particular circumstance, he or she must conservatively apply the need to know concept. That is to say that information must be disclosed only to those people who have a legitimate business need for the information.

System Access Controls

The proper controls shall be in place to authenticate the identity of users and to validate each user’s authorization before allowing the user to access information or services on the system.  Data used for authentication shall be protected from unauthorized access.  Controls shall be in place to ensure that only personnel with the proper authorization and a need to know are granted access to our systems and our resources.  Remote access shall be controlled through identification and authentication mechanisms.

Access Granting Decisions

Access to our sensitive information must be provided only after the written authorization of the Data Owner has been obtained.  Access requests will be presented to the data owner using the Access Request template.  Custodians of the involved information must refer all requests for access to the relevant Owners or their delegates.  Special needs for other access privileges will be dealt with on a request-by-request basis.  The list of individuals with access to Confidential or Restricted data must be reviewed for accuracy by the relevant Data Owner in accordance with a system review schedule approved by our board / directors.

Information Classification

All electronic information must have a designated Owner. Production information is information routinely used to accomplish business objectives. Owners are responsible for assigning appropriate sensitivity classifications as defined below. Owners do not legally own the information entrusted to their care. They are instead designated members of our management team who act as stewards, and who supervise the ways in which certain types of information are used and protected.

RESTRICTED

This classification applies to the most sensitive business information that is intended for use strictly within our organisation. Its unauthorized disclosure could seriously and adversely impact us, or our customers, our business partners, and our suppliers.

CONFIDENTIAL

This classification applies to less-sensitive business information that is intended for use within our organisation. Its unauthorized disclosure could adversely impact us, or our customers, our business partners, our suppliers, or our Employees.

PUBLIC

This classification applies to information that has been approved by our management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm.

Data Owners must make decisions about who will be permitted to gain access to information, and the uses to which this information will be put. Employees must take steps to ensure that appropriate controls are utilized in the storage, handling, distribution, and regular usage of electronic information.

Object Reuse and Disposal

Storage media containing sensitive (i.e. restricted or confidential) information shall be completely empty before reassigning that medium to a different user or disposing of it when no longer used.  Simply deleting the data from the media is not sufficient.  A method must be used that completely erases all data. When disposing of media containing data that cannot be completely erased it must be destroyed in a manner approved by our board / directors.

Physical Security

Access to the data center must be physically restricted in a reasonable and appropriate manner. 

All network equipment (routers, switches, etc.) and servers located in the corporate office and in all facilities must be secured when no personnel, or authorized contractors, are present.  Physically secured is defined as locked in a location that denies access to unauthorized personnel.

Special Considerations for Restricted Information

If Restricted information is going to be stored on a personal computer, portable computer, personal digital assistant, or any other single-user system, the system must conform to data access control safeguards approved by our board / directors.  When these users are not currently accessing or otherwise actively using the restricted information on such a machine, they must not leave the machine without logging off, invoking a password protected screen saver, or otherwise restricting access to the restricted information.

Employees and vendors must not install encryption software to encrypt files or folders without the express written consent of our board / directors.

Information Transfer

Transmission Over Networks

If Restricted data is to be transmitted over any external communication network, it must be sent only in encrypted form. Such networks include electronic mail systems, the Internet, etc. All such transmissions must use a virtual public network or similar software as approved by the board / directors.

Transfer To Another Computer

Before any Restricted information may be transferred from one computer to another, the person making the transfer must ensure that access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system’s access controls, then the information must not be transferred.

Software Security

Secure Storage of object and source code

Object and source code for system software shall be securely stored when not in use by the developer.  Developers must not have access to modify program files that actually run in production.  Changes made by developers must be implemented into production.  Unless access is routed through an application interface, no developer shall have more than read access to production data.  Further, any changes to production applications must follow the change management process.

Testing

Developers must at least perform unit testing.  Final testing must be performed by the Quality Assurance team or the target user population.

Backups

Sensitive data shall be backed up regularly, and the backup media shall be stored in a secure environment.

Key Management

Protection of Keys

Public and private keys shall be protected against unauthorized modification and substitution. 

Procedures

Procedures shall be in place to ensure proper generation, handling, and disposal of keys as well as the destruction of outdated keying material.

Safeguarding of Keys

Procedures shall be in place to safeguard all cryptographic material, including certificates.  IS Security must be given copies of keys for safekeeping.

5.              Confidential data

Confidential data is secret and valuable. Common examples are:

  • Unpublished financial information.
  • Data of customers/partners/vendors.
  • Patents, formulas or new technologies.
  • Customer lists (existing and prospective).

All Employees are obliged to protect this data. In this policy, we will give our Employees instructions on how to avoid security breaches.

6.              Protect personal and organisation devices

When Employees use their digital devices to access organisation e-mails or accounts, they introduce security risk to our data. We advise our Employees to keep both their personal and organisation issued computer, tablet and cell phone secure. They can do this if they:

  • Keep all devices password protected.
  • Choose and upgrade a complete antivirus software.
  • Ensure they do not leave their devices exposed or unattended.
  • Install security updates of browsers and systems monthly or as soon as updates are available.
  • Log into organisation accounts and systems through secure and private networks only.

We also advise our Employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

When new hires receive organisation-issued equipment they will receive instructions for:

  • Disk encryption setup
  • Password management tool setup
  • Installation of antivirus/ anti-malware software

They should follow instructions to protect their devices and refer to our IT Specialists if they have any questions.

7.              Keep e-mails safe

E-mails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct Employees to:

  • Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing.”)
  • Be suspicious of clickbait titles (e.g. offering prizes, advice.)
  • Check e-mail and names of people they received a message from to ensure they are legitimate.
  • Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.)

If an Employee isn’t sure that an e-mail they received is safe, they can refer to our IT specialists.

Unacceptable behaviour

The following behaviour by an Employee is considered unacceptable:

  • use of organisation communications systems to set up personal businesses or send chain letters,
  • forwarding of organisation confidential messages to external locations,
  • distributing, disseminating or storing images, text or materials that might be considered indecent, pornographic, obscene or illegal,
  • distributing, disseminating or storing images, text or materials that might be considered discriminatory, offensive or abusive, in that the context is a personal attack, sexist or racist, or might be considered as harassment,
  • accessing copyrighted information in a way that violates the copyright,
  • breaking into the organisation’s or another organisation’s system or unauthorised use of a password/mailbox,
  • broadcasting unsolicited personal views on social, political, religious or other non-business related matters,
  • transmitting unsolicited commercial or advertising material,
  • undertaking deliberate activities that waste staff effort or networked resources; and
  • introducing any form of computer virus or malware into the corporate network.

Devices

Employees may use their own smart phone or tablet with their business e-mail account provided that:

  • they have secured their device in accordance with our Information Security Policy,
  • the device requires a passcode to be entered before e-mails can be viewed,
  • they have informed their line manager, and
  • they confirm that their device has been recorded in our IT Equipment Asset Register.

You are not expected to respond to e-mails received out of hours.

Content

Employees are expected to maintain a friendly, helpful and professional style and tone in business e-mails. General style and tone should be between the informality of a telephone conversation and the formality of a letter.

A more formal style should be adopted for formal documents or when approaching someone for the first time.

Employees are expected to use their judgement and adjust their style and tone for the person they are contacting.

Employees agree to always use our standard signature, including any disclaimers, in all of their outgoing e-mails.

Sending e-mails

Employees should use their own, password-protected accounts to send e-mails. These passwords should be strong and use a mix of letters, numbers and symbols.

Employees are required to use Calibri font at 11pt, in black.

Employees may only send attachments up to a total of 10MB per e-mail. Transferring larger files should be carried out using One Drive, Dropbox or WeTransfer.

Employees aren’t permitted to send confidential information using e-mail. This includes, but is not limited to:

  • Personal data,
  • Customer information, and
  • New product or service information.

E-mail can be as contractually binding as any other form of communication and therefore, Employees aren’t permitted to use e-mail for any contractually significant communications.

Employees should aim to acknowledge priority e-mails and e-mails from customers within 24 hours.

Storing e-mails

E-mails can pose a security risk to our organisation. They are often used to distribute viruses and spyware, or for phishing attempts.

Employees must delete attachments from unknown senders immediately.

Employees are required to contact their line manager or the IT department if they receive a suspicious attachment or if they suspect a virus has entered the system.

Employees should always check that the sender of the e-mail is correct before opening or replying to the e-mail.

Employees should never click on links in e-mails and must instead copy and paste the URL into their browser.

Viruses and phishing

Employees must store e-mails for a minimum of 7 years.

Monitoring

We accept that the use of e-mail is a valuable business tool. However, misuse of this facility can have a negative impact upon Employee productivity and our reputation.

In addition, all of our e-mail resources are provided for business purposes.  Therefore, we maintain the right to examine any systems and inspect any data recorded in those systems. We may inspect Employees e-mails for specific business purposes, including:

  • establishing the content of transactions and other important business communications,
  • making sure Employees are complying with the law and with our internal policies,
  • preventing abuse of our telecoms system; and
  • checking e-mails when Employees are on leave.

In order to ensure compliance with this policy, we also reserve the right to use monitoring software in order to check upon the use and content of e-mails. Such monitoring is for legitimate purposes only and will be undertaken in accordance with a procedure agreed with Employees.

Sanctions

Where it is believed that an Employee has failed to comply with this Policy, they will face our disciplinary procedure. If the Employee is found to have breached the Policy, they will face a disciplinary penalty ranging from a verbal warning to dismissal. The actual penalty applied will depend on factors such as the seriousness of the breach and the Employee’s disciplinary record.

8.              Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure, so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our Employees to:

  • Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
  • Remember passwords instead of writing them down. If Employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
  • Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, Employees should prefer the phone instead of e-mail, and only if they personally recognize the person they are talking to.
  • Change their passwords every two months.

Remembering a large number of passwords can be daunting. We will purchase the services of a password management tool which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the abovementioned advice.

9.              Transfer data securely

Transferring data introduces security risk. Employees must:

  • Avoid transferring sensitive data (e.g. customer information, Employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request Employees to ask our IT Specialists for help.
  • Share confidential data over the organisation network/ system and not over public Wi-Fi or private connection.
  • Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
  • Report scams, privacy breaches and hacking attempts.

Our IT Specialists need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our Employees to report perceived attacks, suspicious e-mails or phishing attempts as soon as possible to our specialists. Our IT Specialists must investigate promptly, resolve the issue and send an alert when necessary.

Our IT Specialists are responsible for advising Employees on how to detect scam e-mails. We encourage our Employees to reach out to them with any questions or concerns.

10.          Additional measures

To reduce the likelihood of security breaches, we also instruct our Employees to:

  • Turn off their screens and lock their devices when leaving their desks.
  • Report stolen or damaged equipment as soon as possible to the IT Specialists.
  • Change all account passwords at once when a device is stolen.
  • Report a perceived threat or possible security weakness in organisation systems.
  • Refrain from downloading suspicious, unauthorized or illegal software on their organisation equipment.
  • Avoid accessing suspicious websites.

We also expect our Employees to comply with our social media and internet usage policy.

Our IT Specialists should:

  • Install firewalls, anti-malware software and access authentication systems.
  • Arrange for security training to all Employees.
  • Inform Employees regularly about new scam e-mails or viruses and ways to combat them.
  • Investigate security breaches thoroughly.
  • Follow this policies provisions as other Employees do.

Our organisation will have all physical and digital shields to protect information.

11.          Remote Employees

Remote Employees must follow this policy’s instructions too. Since they will be accessing our organisation’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.

We encourage them to seek advice from our IT Specialists.

12.          Disciplinary Action

We expect all our Employees to always follow this policy and those who cause security breaches may face disciplinary action:

  • First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the Employee on security.
  • Intentional, repeated or large-scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination. We will examine each incident on a case-by-case basis.

Additionally, Employees who are observed to disregard our security instructions will face progressive discipline, even if their behaviour hasn’t resulted in a security breach.

13.          Take security seriously

Everyone, from our customers and partners to our Employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.

14.          Agreement

All Employees are required to read, understand and accept this policy.

15.          Further Information

Employees should contact their manager for further information regarding this Policy.