- Introduction
1.1 Quant Foundry take the viewpoint that IT security problems can be expensive and time-consuming to resolve. Prevention is much better.
1.2 Responsibilities: –
• Chris Cormack has overall responsibility for IT security strategy.
• David Kelly has day-to-day operational responsibility for implementing this policy.
• Chris Cormack is the data protection officer to advise on data protection laws and best practices
1.3 We will review this policy on an annual basis. - Definitions
2.1 We classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing.
2.2 We classify information into different categories so that we can ensure that we protect data properly and that we allocate security resources appropriately: –
• Unclassified. Data as information that can be made public without any implications for the company,
such as information that is already in the public domain.
• Employee confidential. Data includes information such as medical records, pay and so on.
• Company-confidential. Such as contracts, source code, business plans, passwords for critical IT
systems, client contact records, accounts
• Client-confidential. Data includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information
2.3 The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk.
2.4 You should assume information is confidential unless you are sure it is not – act accordingly.
2.5 As for client information, we operate in compliance with the GDPR ‘Right to Access’ – the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of each employee’s data, free of charge in an electronic format.
2.6 We also allow data subjects to transmit their data to another controller. In general, to protect confidential information we implement the following access controls: –
• Company-confidential data. A managing director provides access to the main server and grants read/write permission. Currently, the managing directors have restricted access to all staff other than managing directors
• Client-confidential data. Access to client confidential information on a need-to-share basis. All employees sign an NDA before receiving client-confidential information
• Employee confidential. A managing director provides access to the main server and grants read/write permission. Currently, the managing directors have restricted access to all staff other than managing directors
• The managing directors solely hold admin privileges for the shared drive, model library, email, Dropbox, Slack and Trello
3 Access controls
3.1 Internally, as far as possible, we operate on a need-to-share rather than a need-to-know basis concerning confidential company information. We intend to share information to help people do their jobs rather than raise barriers to access needlessly.
3.2 To protect our data, systems, users and customers we use the following arrangements: –
• Laptop and desktop anti-malware. Malwarebytes.
• Server anti-malware. Windows Defender.
• Cloud-hosted email spam, malware and content filtering. BlueHost, cloud support.
• Email archiving and continuity. BlueHost, cloud support
• Website malware and vulnerability scanning. BlueHost, cloud support
• Intrusion detection and prevention. Windows Firewall
• Perimeter firewall Wifi Firewall. Firewall on Regus Wifi (Regus are the landlord at 68 Lombard St). None of our computers is configured to take external connections.
4 Security software
4.1 When a new employee joins the company, we will add them to the following systems:
• Email: first.last@quantfoundry.com
• Trello Boards (project specific)
• Slack
• WhatsApp group (non-confidential information)
• Shared server for a quant-dev (model library only)
4.2 No access is provided to the following unless promoted to managing director:
• Dropbox
• Shared server – Management file
4.2 We will provide training to new staff and support for existing staff to implement this policy: –
• An initial introduction to IT security, covering the risks, necessary security measures, company policies and where to get help
• Training on how to use company systems and security software properly
• On request, a security health check on their computer, tablet or phone
When people leave a project or leave the company, we will promptly revoke their access privileges to company systems.
4.3 Effective security is a team effort requiring the participation and support of every employee and associate. It is the responsibility of all employees to know and follow these guidelines. You are personally responsible for the secure handling of confidential information.
4.4 You may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of your duties. Promptly report any theft, loss or the unauthorised disclosure of protected information or any breach of this policy to the data protection officer.
4.5 It is also your responsibility to use your devices (computer, phone, tablet) securely. At a minimum: –
• Remove software that you do not use or need from your computer
• Update your operating system and applications regularly
• Keep your computer firewall switched on
• For Windows users, make sure you install anti-malware software (or use the built-in Windows Defender) and keep it up to date. For Mac users, consider getting anti-malware software.
• Store files in non-cloud company storage locations so that it is backed up properly and available in an emergency.
• Switch on whole disk encryption
• Understand the privacy and security settings on your phone and social media accounts
• Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer from any family computers.
• Don’t use an administrator account on your computer for everyday use
• Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in
• Don’t whatever you do share passwords and make passwords hard to replicate
5 Your security responsibilities
5.1 Protecting your device: –
• Change default passwords and PINs on computers, phones and all network devices
• Consider using password management software
• Please don’t share your password with other people or disclose it to anyone else
• Don’t write down PINs and passwords next to computers and phones
• Use strong passwords
• Change them regularly
• Don’t use the same password for multiple critical systems
5.2 Password guidelines. While technology can prevent many security incidents, your actions and habits are also significant. With this in mind: –
• Take time to learn about IT security and keep yourself informed. Get Safe Online is a good source for general awareness
• Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender.
• Be on guard against social engineerings, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information.
5.3 Fraudsters and hackers can be persuasive and manipulative: –
• Be wary of fake websites and phishing emails. Don’t click on links in emails or social media. Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website.
• Use social media, including personal blogs, professionally and responsibly, without violating company policies or disclosing confidential information.
• Take particular care of your computer and mobile devices when you are away from home or out of the office.
• If you leave the company, you will return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable.
• Where we store confidential information on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required.
5.4 The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action:
• Anything that contradicts our equality and diversity policy, including harassment.
• Circumventing user authentication or security of any system, network or account.
• Downloading or installing pirated software.
• Disclosure of confidential information at any time.
6 Backup and disaster recovery
6.1 This is how we back up our business-critical systems.
• Dropbox, copied to the central server, monthly
• Primary server back up to external hard disk, weekly
6.2 This is how we will respond to potential interruptions to our business:
• Primary server failure. Back up manually from the external disk drive, expect to be operational by 12:00 am
• Severe transport disruption. Both managing directors are within cycling distance of the office. Cycle storage facilities available.
• Unable to access office because of a flood, fire, civil disorder,
terrorist incident. Work from home.
• Loss of internet or phone connection. Work from secure wi-fi at the Guildhall Library. Wifi router has 4G back up capacity
• Loss or theft of critical systems. Switch to cloud-based communication (Trello, Dropbox, email, Slack). Access
We will test these contingency plans at least once a year.
6.3 This is how we will respond to IT security issues:
• Malware infection detected by scanners
• Ransomware
• System failure
• Attempted social engineering
• Data loss or theft
6.4 Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours. All employees must escalate breaches under GDPR to either managing director
6.5 Appointment of a Data Protection Officer. The managing directors appoint a Data Protection Officer based on their expert knowledge on data protection law and practices. This can be a staff member or an external service provider. Either way, we will provide contact details to the relevant data protection authorities. The company will ensure the data protection office is given all appropriate resources to carry out their tasks and maintain their expert knowledge. The Data Protection Officer reports directly to the managing directors and must not carry out any functions that could result in a conflict of interest.