IWSR Data Processing Policies

Privacy Policy, Data Processing Policy & Information Security Policy

Contents

IWSR Privacy Policy

When does IWSR collect information?

What information does IWSR collect?

How does IWSR use the information?

Pursuant To What Legal Bases Do We Process Your Information?

Cookies

Transfer Of Data

What You Can Do And Your Rights

Additional Information That May Be Of Interest

IWSR Data Processing Policy

Definitions and Interpretation

Agreed Terms

Customer Data

Changes

Information Security Policy

 

IWSR Privacy Policy

This privacy policy governs IWSR’s collection of your personal data via the website.

 

Introduction

IWSR respects your privacy. The type of information and ways we collect and use the information you provide while on our website (“Website”), Global Database (“Global Database”) and both collectively (the “Site”), or when registering as a client for other IWSR product and services (“Research”), and during certain other interactions are listed below:

 

When does IWSR collect information?

IWSR may collect certain information when an individual:

  • Registers for use of the Site or uses the Site
  • The above includes use of complimentary materials on the Website such as sample downloads, mailer registration and input forms to request demos or call backs
  • Registers for use of IWSR online tools
  • Purchases certain products or services from us
  • Registers for one of our events or webinars
  • Seeks employment opportunities with IWSR
  • Wishes to obtain more information about our products and services

 

What information does IWSR collect?

  • Personal contact information you may choose to provide while visiting or registering on our Site, including registrations to attend IWSR events. This information may include your: name, address, company name, job title, telephone or mobile number, email address, country and the name and email of third parties you may provide to us
  • Behavioural information about how you use the Site and your IP address
  • If you are applying for a job at IWSR, we may also collect your resume, work history, and education if you choose to provide these

 

How does IWSR use the information?

  • To fulfil our obligations. IWSR uses personal contact information you share with us to fulfil contractual obligations that may include providing products or services that you or your employer purchased, answer your contract administration related inquiries or communicate with you about your account or transactions with us, and send you information about features on the Site, or changes to our policies or events for which you registered. The provision of personal data is a requirement in order for us to fulfil contractual agreements; failure to provide this personal data may result in IWSR being unable to fulfil a contractual agreement
  • To improve research, services, the Site and measure effectiveness
    • IWSR regularly analyses data pertaining to visitor trends, research consumption, and research grading to improve our research, plan site enhancements, and measure overall site effectiveness
    • IWSR may further process personal data for a purpose other than that for which the personal data was collected in order to improve our services, such as requesting response to surveys on client services
    • IWSR may use automated processing and profiling of personal data via CRM software in order to: provide improved services to you in line with legitimate interest such as tailoring communications in line with your specified or supposed interests; or fulfil an obligation as requested by you, such as the completion of a call-back request or sample download forms on the Site
  • To answer job search inquiries. We use your submitted information to respond to inquiries you make regarding job postings
  • To maintain a secure Site. IP addresses are collected in order to maintain our Site security and ensure access to restricted portions of the Site is limited to authorised users
  • To improve our performance by using third party vendors. We may also disclose certain data to third party contractors or vendors in connection with their performance of services to us. Contractual agreements between us and such third parties provide that your information will be kept confidential and secure
  • To conduct IWSR Events. When registering for an event you may choose to have your name, title, company and/or country be available to event attendees during the event. IWSR transfers certain information of event registrants and attendees to its event sponsors. For details please see below:
    • Pre-Event Lists. Sponsors of an IWSR event are provided a “Pre-Event List” for event staffing purposes. The list contains the Company name and title of individuals that have registered for the event
    • Post-Event Lists. When registering for an event you may choose to have your contact details (name, title, company, and/or country) added to a “Post-Event List” that is transferred to sponsors of the event for marketing purposes
  • To send you marketing emails subject to your opt-in. If you opt into such communications, IWSR may use your email address to send periodic promotional emails, enews and special offers

 

Pursuant To What Legal Bases Do We Process Your Information?

We rely on a number of legal bases to use your information in the ways indicated above. These legal bases include where:

  • necessary to perform the contractual obligations in our agreement with you or your employer and provide services to you;
  • you have consented to the processing, which you can revoke at any time;
  • necessary to comply with a legal obligation, a court order, or to exercise or defend legal claims;
  • necessary for the purposes of our legitimate interests; and
  • you have expressly made the information public

Note that we principally rely on consent (i) to send marketing messages, and (ii) for sharing data of event attendees with sponsors post event.

Where we process your information on the basis of legitimate interests, we do so as it is necessary to pursue our legitimate interests of providing and improving IWSR services for our customers.

IWSR has a legitimate interest in understanding how our services are being used. We also pursue our legitimate interests of improving our services, efficiency, and determining the level of interest in services for customers by obtaining insights into usage patterns of the services.

IWSR has a legitimate interest in customising your on-site experience to help you discover relevant research and topics. IWSR also engages third-party companies and individuals (such as research companies, and analytics providers) to help us operate, provide, and market the services. These third parties have only limited access to your information, may use your information only to perform these tasks on our behalf, and are obligated not to disclose or use your information for other purposes. IWSR may also use your information to maintain a secure Site, including sharing of your information for such purposes, because it is necessary to pursue our legitimate interests in ensuring the security of our services, including enhancing protection of our Site, intellectual property infringement and security risks of all kind. IWSR has a legitimate interest in working with service providers to make our services better even if some service providers we use are not strictly necessary for us to provide the Services.

IWSR may also process and share your personal information with a third party in response to lawful requests by public authorities, including to meet legitimate national security or law enforcement requirements; defend against legal claims, to comply with a subpoena, court order, legal process, or other legal requirement; or when we believe in good faith that such disclosure is reasonably necessary to comply with the law.

 

Cookies

What is a cookie?

  • A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another

 

What type of cookies does the IWSR use?

  • Necessary: cookies required for access to the Site and core functionality
  • Behaviour and analytics: cookies used to gather behavioural information through the Site; provide customised content and recommendations; and analytics
  • Marketing: cookies that are used to deliver relevant advertising
  • Behavioural information collected by our web analytics vendor is used to analyse data pertaining to visitor trends, research consumption, and research grading in order to improve our research, plan Site enhancements, and measure overall Site effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor Site content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness
  • Aggregated (non-personally identifiable) user behaviour collected through cookies or web beacons may be shared with our other third-party service providers to either analyse or execute marketing programs
  • Please note that IWSR or other IWSR vendors or third-party advertisers may also use cookies that are independent of those placed by our analytics contractor (for example, to remember your password or tailor Site content)
  • Cookies and web beacons do not contain personally identifiable information; however, if you are a registered user, we may store this information with your registration information to enable us to better serve you. Use of cookies may also allow IWSR to automate your access to password-protected portions of the Site making it unnecessary for you to have to re-enter your password each time you visit our Site.

 

What can you do about cookies?

  • You may choose to control and/or delete all cookies from your hard drive. If you delete a cookie, however, please be advised that some features of our Site may not be accessible to you. Another option available to you is to change the preferences or settings in your web browser to control cookies. In some cases, you can choose to accept cookies from a primary Site, block them from third parties, or clear out all cookies

 

Transfer Of Data

We operate globally and may transfer your personal information to our affiliate companies or third parties in locations around the world for the purposes described in this privacy policy. Wherever your personal information is transferred, stored, or processed by us, we will take reasonable steps to safeguard the privacy of your personal information. Additionally, when using or disclosing personal information transferred from the European Union, we use standard contract clauses approved by the European Commission, adopt other means under European Union law for ensuring adequate safeguards, or obtain your consent.

 

What You Can Do And Your Rights

We operate globally and may transfer your personal information to our affiliate companies or third parties in locations around the world for the purposes described in this privacy policy. Wherever your personal information is transferred, stored, or processed by us, we will take reasonable steps to safeguard the privacy of your personal information. Additionally, when using or disclosing personal information transferred from the European Union, we use standard contract clauses approved by the European Commission, adopt other means under European Union law for ensuring adequate safeguards, or obtain your consent

  • You can unsubscribe from promotional emails you receive at any time by clicking the link at the bottom of the email and may disable notifications on your mobile device. You may not be able to opt-out of important service announcements and administrative messages
  • You can choose to control and/or delete cookies from your hard drive. See the Cookie section above for more details
  • You have the following rights¹. Please note IWSR may have lawful reasons to deny requests related to the rights below:
    • The right to be informed: You have the right to be informed of IWSR’s purposes for processing your personal data, IWSR’s retention periods for that personal data, and who it will be shared with
    • The right of access: You have the right to access your personal data and supplementary information to allow you to be aware of and verify the lawfulness of the processing
    • The right to rectification: You have the right to have inaccurate personal data rectified or completed if it is incomplete
    • The right to erasure: You have the right to have your personal data erased from our systems
    • The right to restrict processing: You have the right to request the restriction or suppression of your personal data
    • The right to data portability: You have the right to obtain and reuse your personal data for your own purposes across different services
    • The right to object: You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics
    • Rights in relation to automated decision making and profiling: You have rights related to automated decision making any profiling
  • If you want to exercise any of your rights or need to contact IWSR’s Data Protection Officer, please email dataprotection@theiwsr.com. You can always contact IWSR at +44 (0)20 7689 6841 should you have any questions or concerns
  • You can go to IWSR’s subscription centre and select or change your contact preferences at any time
  • You have the right to lodge a complaint with a supervisory authority

 

Additional Information That May Be Of Interest

  • IWSR account managers and IT staff can place research documents into a client’s Report page on the Global Database in line with their subscription package or additional purchases. IT and account management employees can review the contents in this area
  • We have implemented technical, administrative, and physical security measures that are designed to protect your information from unauthorised access, disclosure, use, and modification. Please be aware though that, despite our best efforts, no security measures are perfect or impenetrable
  • Our website contains links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. We are not responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should look at the privacy statement applicable to the website in question
  • IWSR does not knowingly collect any personal information from children and does not market or offer services to children

 

IWSR Data Processing Policy

This Data Processing Policy (“DPP”) is a legal document and may be incorporated by reference in any agreement (“Agreement”) you as a customer (“Customer”) have with IWSR Drinks Market Analysis Limited (“IWSR or Licensor”).

 

Introduction

This DPP supplements any current terms and conditions or other agreement between IWSR and Customer and shall continue until the Agreement terminates. To the extent any provisions of this DPP conflict with any term of the Agreement, the relevant provision of this DPP shall prevail.

 

Definitions and Interpretation

Agreed Purpose” means the performance by Licensor of its obligations under the Agreement including the promotion of the IWSR Products by IWSR.

Data Protection Law” means, where applicable, the General Data Protection Regulation ((EU) 2016/679) (GDPR), the European Privacy and Electronic Communications Directive (Directive 2002/58/EC), as amended or replaced from time to time and all other national, international, regional, federal or other laws related to data protection and privacy that are applicable to any territory where Licensor processes personal data or is established and the terms “personal data”, “personal data breach”, “controller”, “processor”, “processing”, “data subject” and “supervisory authority” shall have the meanings ascribed to them under Data Protection Law as applicable;

Standard Contractual Clauses” means the controller to processor standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.

Sub-processor” means a natural or legal person, public authority, agency or body other than the data subject or Customer, who is engaged by Licensor to process Customer Data.

All capitalised terms used but not otherwise defined in this Data Protection Policy shall have the meaning given to them in the Agreement.

 

Agreed Terms

  • For the purposes of this DPP, the Customer and Licensor agree that Licensor acts as a processor and Customer acts as a controller in respect of the Customer Data and that the nature/purpose of the processing is to enable Licensor to provide the license for the duration of the Agreement.
  • Customer shall comply with its obligations under Data Protection Law and shall in particular:
    • ensure that it is entitled to transfer the relevant Customer Data to Licensor so that Licensor may lawfully use, process and transfer the Customer Data in accordance with the Agreement on the Customer’s behalf; and
    • the relevant data subjects have been informed of such use, processing, and transfer as required by all applicable Data Protection Laws
  • Licensor shall comply with its obligations under Data Protection Law and shall in particular:
    • only process the Customer Data for: (i) the Agreed Purpose; (ii) as instructed by the Customer; and (iii) as necessary to comply with Licensor’s requirements under any applicable law. If Licensor is aware that the Customer’s processing instructions infringe applicable laws, Licensor shall notify the Customer immediately (unless prevented from doing so by applicable laws) and not carry out the relevant processing;
    • maintain all appropriate technical and organisational measures to ensure security of the Customer Data including protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of the Customer Data) taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the likelihood and severity of risk in relation to the rights and freedoms of the data subjects. These measures shall include but not be limited to those found here;
    • ensure that all persons authorised by it to process the Customer Data are subject to either contractual or statutory obligations of confidentiality;
    • the Customer and Licensor acknowledge that the United Kingdom’s withdrawal from the European Union introduces a requirement on both parties to ensure that transfers of personal data from the European Union to the United Kingdom receive an additional layer of protection in order to comply with Data Protection Law. If an adequate protection measure for the international transfer of personal data is required under the Data Protection Law and has not otherwise been arranged by the parties, the Standard Contractual Clauses shall be incorporated into this DPP as if they had been set out in full. The template elements of the Standard Contractual Clauses are completed below:

Standard Contract Clauses: main body particulars

Exporter contact details: Those of the Customer as set out in the Agreement.
Importer contact details: Those of the Licensor as set out in the Agreement.
Governing Law (cl. 9 & 11): England and Wales

Appendix 1 of the Standard Contractual Clauses:

Data Exporter: The Customer
Data Importer: The Licensor
Data Subjects: End licence users.
Categories of data: Name, email address.
Special categories of data: N/A.
Processing operations: As set out in the Agreement.

Appendix 2 of the Standard Contractual Clauses:

Physical Access Control
Restriction of access to buildings, data centres and server rooms as necessary, adequate locks on all doors, monitoring of unauthorised access, and written procedures for employees, contractors and visitors covering confidentiality and security of information.

System Security
Restricting access to systems depending on the sensitivity/criticality of such systems, use of password protection where such functionality is available, maintaining records of the access granted to which individuals, ensuring prompt deployment of updates, bug-fixes and security patches for all systems, appropriate security over wireless networks (802.11x) and remote access tools (including two factor authentication).

Data Processing
Selection of Sub-Processors based on technical expertise, trustworthiness and compliance with legislation, ensuring prompt instruction of Sub-Processors, ensuring prompt notification of the Processor or Controller in the event of a data security breach and, capability of Sub-Processors to correct and/or erase data upon instruction.

The illustrative indemnity set out in the Standard Contractual Clauses is deemed deleted.

    • is authorised to engage the Sub-processors listed at Schedule 1, subject to: (i) Licensor entering into a written agreement with such Sub-processors containing obligations which comply with Data Protection Law; and (ii) Licensor remaining liable for any breach of this DPP that is caused by its Sub-processors. The Licensor shall inform the Customer of any changes concerning the addition or replacement of other Sub-processors thereby giving the Customer the opportunity to reasonably object to such changes;
    • provide reasonable assistance to Customer to demonstrate its compliance with the Data Protection Laws, including but not limited to: (i) ensuring compliance with its security, breach notification, impact assessment and prior consultation obligations; and (ii) responding to (a) any request from a data subject to exercise its rights under Data Protection Law (without responding to that request unless authorised to do so by the Customer); and (b) any other correspondence or enquiry received in connection with the processing of the Customer Data;
    • notify the Customer without undue delay as soon as it becomes aware of any personal data breach in connection with the Customer Data;
    • maintain appropriate records and information in compliance with Data Protection Laws and on request by the Customer, make available such records information necessary to demonstrate Licensor’s compliance with this DPP and otherwise permit, and contribute to, audits carried out by the Customer (or its authorised representative); and
    • on termination or expiry of the Agreement, destroy or return (as the Customer directs) all Customer Data in its power, possession or control and delete all existing copies of such data except to the extent Licensor is required to retain a copy the personal data by law
  • Subject to the limitation of liability provisions in the Agreement, to the extent that Customer has an entitlement under Data Protection Law to claim from Licensor compensation paid by the Customer to a data subject as a result of a breach of Data Protection Law to which Licensor contributed, Licensor shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject

The Customer and Licensor shall agree in good faith any reasonable changes required to this DPP to comply with any changes to Data Protection Law. Schedule 1

Sub-processors

Amazon Web Services, Data hosting and backups, UK
Salesforce, Customer Relationship Management, UK
Microsoft (Office 365), Data hosting, UK (Exchange and Teams), EU (SharePoint)

Mimecast, Email Hygiene, UK (Decommission in Jan 2021)
WPEngine, Data hosting and backups, UK

 

Customer Data

The following types of Personal Data relating to Customer or its personnel may be shared with Licensor in connection with its provision of the IWSR Product(s) or other services:

  • Name
  • Gender
  • Address
  • Date of Birth
  • Email address
  • Financial information

 

Changes

Changes to this policy may be posted from time to time. All versions will reflect a posting date. We encourage you to visit this page periodically for changes.

Last updated: January 2021

¹ Data pertaining to closed contracts or contractual relationships which are not renewed will be retained for a maximum of two years post termination.

 

Information Security Policy

1. Introduction

The IWSR maintains an active information security program to protect all technology and information used by its staff or contractors.

The IWSR is a medium-sized business specialising in market research and analysis of the alcoholic drinks industry.

In general, we use a system called Salesforce to host our commercial, sales, marketing and supply chain information. Salesforce’s sophisticated profile-based user permissions makes it idea for a minimum-access system to store and process personal data from individual assessments.

We use an accounting package from Sage for hosting our financial data.

The IWSR maintains 3 key bespoke systems; Collector, Manager and Publisher. The IWSR’s services are all cloud-provided / internet-accessed. We do not operate a corporate private network.

We provide a public website, but this is not connected directly to any of our core systems and does not manufacture any services directly for visitors.

This security policy is commensurate with this background.

2. To whom does this policy apply?

This policy applies to all staff, temporary and permanent, who use The IWSR technology or personal devices to access, process, use, or store data and information in any format on behalf of The IWSR.

3. What does this policy cover?

This policy covers all authorised technology devices used for The IWSR business. This includes The IWSR laptops, and mobile equipment such as, Tablets, Mobile Phones, and any personal devices used.

This policy also covers the data and information accessed or held within these devices, or The IWSR information hosted by authorised third parties (Cloud). It also includes paper or hard-copy information held on or off-site.

Please note that this policy may not cover all situations or answer every question you may have about using technology devices or The IWSR data. Therefore, if you have a situation that is not addressed by this document or you simply have a question about data security, please call The IWSR’s Chief Technology Officer.

Role CTO
Email enquiries@theiwsr.com
Phone +44 (0)20 3855 5477

4. Communications

The effective communication, and subsequent acknowledgement and understanding of all The IWSR information security policy is vitally important.

The IWSR briefs all new starters during the onboarding process.

5. Responsibility

All staff are responsible for the security and safe keeping of any The IWSR-issued equipment used for accessing systems and for keeping all The IWSR data and information accessed or stored on those devices secure.

Staff are also responsible for ensuring that all authorised The IWSR issued technology devices continue to meet the company’s security requirements using The IWSR password and encryption controls.

Similarly, although personal technology devices are recognised and accepted, these devices are not supported by The IWSR and staff are responsible for keeping all The IWSR data and information accessed or stored on those devices secure and in accordance with the requirements described in the Storage section below.

6. Risk Register

A register of IT-related risks will be created and regularly reviewed.

7. Policies

7.1. Acceptable Use Policy (AUP)

An AUP stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet. It is standard onboarding policy for new employees.

The IWSR AUP can be found throughout the “The IWSR Staff Handbook”.

7.2. Access Control Policy (ACP)

The IWSR has an estate of cloud-based services. Access to these is provisioned via role-based permissions are allocated to users in order to ensure minimum required access and segregation of roles where possible.

The core principles of our ACP are based on the following to points:

  • Segregation of duties – for example, approval and implementation shall be distinct and separated
  • Least privileged access – the lowest practical level of system access will be granted in order for duties to be undertaken in a given role

7.2.1. User ID’s and Passwords

All password should be ‘strong’. Within The IWSR strong is taken to mean:

  • It should be at least 8 characters long
  • It should not contain any of your personal information—specifically your real name, user name, or even your company name.
  • It must be very unique from your previously used passwords.
  • It should not contain any word spelled completely.
  • It should contain characters from the four primary categories, including: uppercase letters, lowercase letters, numbers, and characters.

7.2.2. Licensing and copyright

Purchase and installation of computer software will be in accordance with vendor requirements to ensure that the business meets its legal and contractual obligations.

The IWSR IT support provider (as at 27/11/20 Infinity Ltd) will support the process of installing or using software not ordinarily provided by The IWSR to ensure that the software is appropriately installed and configured.

7.2.3. Access

Regardless of your role as an employee, you will be assigned The IWSR equipment. Additionally, you may also be permitted to use personal devices, e.g. processing your The IWSR email account via a client on your personal mobile device.

The line manager of the new employee is required to authorise a new employee to have an account on The IWSR systems. The line manager is required to specify any specific information access rights needed by the new employee.

This authorisation is communicated to Infinity, The IWSR’s IT provider, The IWSR Technology Team and HR, who will set up the accounts with the authorised access rights.

7.2.4. Workstation Sessions

Users are personally responsible for the security of the workstation they are using. This applies particularly when The IWSR users are working remotely. Users need to be mindful of information visible on screens to other people in the vicinity. Even on The IWSR premises, we may be dealing with the personal information of a client, customer or colleague. This is equally important when off-premises, for example, on customer sites or in public spaces.

When stepping away from workstations, users should enable the lock screen on their workstation (for example “Win-L” on Windows machines). All users are required to log off the system when their session is complete. Users must log off completely at the end of the working day or if they leave The IWSR premises.

Where the system gives users the discretion to grant access for their material to colleagues, users must ensure that colleagues do have a real business ‘need-to-know’ for that particular piece of information. Users must not release information beyond that permitted by their job description without specific authority from their line manager.

7.2.5. Leavers

Since The IWSR’s services are primarily cloud-provided, it is critical that the user accounts to these services are disabled from these services on leaving the organisation.

HR is the key control owner in this case. See “The IWSR Joiners, Movers, Leavers Procedure”, in which it is mandated to ensure that all resources accessible to the leaving staff member are rescinded. This is enabled by issuing an instruction to the Technology Team in accordance with the “The IWSR Systems Access Policy”.

7.3. Change Management Policy

A change management policy refers to a formal process for making changes to IT, software development and security services/operations. The goal of a change management program is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically to minimize any adverse impact on services and customers.

7.4. Information Management Policy

The IWSR takes the security of all of its Information seriously, especially that of its clients and customers.

7.4.1. Classification of data

Staff must be familiar with how to classify their content so that it is handled with the correct level of confidentiality, integrity, and availability.

This policy mandates three categories: PUBLIC, INTERNAL USE and CONFIDENTIAL. The following handling constraints are mandated for content in each category. The labels are largely intuitive but are fully defined in the classification policy.

Content Classification
PUBLIC
INTERNAL USE
CONFIDENTIAL

7.4.2. Encryption

“Encryption” is taken to mean “a method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.”

Systems-level encryption
All of The IWSR’s key systems are cloud-based, which means that the content is stored and managed by vendor’s application in a remote datacentre and consumed via a browser by The IWSR users. In general, we seek systems which offer encryption at rest and in transit. At the time of writing, AES-256 is sought for encryption at rest and TLS1.2 is sought for delivery into the browser.

Individual file encryption
Microsoft Office documents may be individually encrypted using the Office password-protection feature. Office 2016 and later uses a 256-bit AES encryption mechanism which is deemed secure. This can be applied both to Office-format files (.DOC, .XLS, .PPT) and to PDF.

PDFs created in Acrobat X or later feature 256-bit AES encryption when password-protected.

Note that these file-level encryption options need to be invoked individually by users when required. The password chosen needs to be securely communicated to any receiving party.

7.4.3. Storage

Storage of The IWSR’s data must be consistent with the classification of the material.

All confidential and sensitive hardcopy paper records and information must be protected from unauthorised access and stored securely at all times.

Content Classification The IWSR cloud systems (when the information is not on a local device other than visible in a browser) The IWSR devices (local copy) Non-The IWSR devices (e.g. personal devices of staff, contractors machines)
PUBLIC No restrictions No restrictions No restrictions
INTERNAL USE Encryption at rest Encryption at rest Individual file encryption
CONFIDENTIAL Encryption at rest Encryption at rest Individual file encryption

 

7.4.4. Transmission

The transmission of data is dominated by email. The following policy should be observed.

Content Classification @TheIWSR.com To @TheIWSR.com @TheIWSR.com To @other_domains @other_domains To @TheIWSR.com
/td>
Examples Internal email Communications with other organisations Transmitting The IWSR content via non-The IWSR accounts
PUBLIC No restrictions No restrictions No restrictions
INTERNAL USE No restrictions Consider if the recipients are authorised Consider if the recipients are authorised
CONFIDENTIAL Consider if the recipients are authorised Individual file encryption Individual file encryption

 

In all cases, consider if a direct file-sharing platform such as SharePoint of OneDrive is feasible in preference to email. Tailored permissions such as time limits, view-only (no-save), and recipient-eyes-only can all be set.

7.4.5. Removal of data

All users of The IWSR information are required to ensure that security measures for the transfer and storage of information are appropriate to the risks faced in that process. If you are uncertain about these risks you must discuss them with your manager or The IWSR Chief Technology Officer.

“The IWSR Data Protection Policy” offers clear and specific guidance on the retiring of data from our core secure systems. It is up to users to manage the rest of their individual and team data sets pragmatically and in accordance with business need. In general, data should not be kept beyond its useful life “just in case”.

In addition, all staff have a responsibility to consider security implications when disposing of information in the course of their work. If in doubt about whether or how to dispose of electronic or paper data, discuss with your Line Manager.

In the event of leaving The IWSR, staff must ensure that all company-provided devices and accessories are returned. Any data and information which has been temporarily stored on personal devices MUST be wholly deleted. If personal data services have been used for the temporary processing of The IWSR data (for example a personal SharePoint account), all such data must be permanently deleted from same.

7.4.6. Loss

Staff members are responsible for the security and integrity of all The IWSR technology or personal devices used to access any of the charity’s information management systems and applications and the integrity, quality and security of the data and information contained within them.

If you believe any of your The IWSR-issued technology, personal devices/hard-copy or paper records has been lost or stolen, you are required to follow the procedure described in the Incident Response Policy section below.

7.5. Incident Response (IR) Policy

Actual, or suspected, information security incidents must be reported immediately, to the CTO. In their absence contact the CEO or CFO.

Role CTO
Email enquiries@theiwsr.com
Phone +44 (0)20 3855 5477

 

7.6. Remote Access Policy

The IWSR does not operate a private corporate network. All services are accessed via the public internet. All office locations are connected via aggregate internet connections. Users are permitted to access The IWSR services from The IWSR-provided laptops via home or mobile internet connections.

The IWSR protects all systems access via centrally-managed anti-virus service.

7.7. Email/Communication Policy

The IWSR email usage guidance is contained in the “The IWSR Acceptable Use Policy”.

7.8. Disaster Recovery Policy

An organization’s disaster recovery plan will generally include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan. The CTO and teams will manage an incident through the incident response policy. If the event has a significant business impact, the Business Continuity Plan will be activated. An example of a disaster recovery policy is available at SANS.

7.9. Business Continuity Plan (BCP)

The BCP will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity. BCP’s are unique to each business because they describe how the organization will operate in an emergency.

Stay in the front

Get report updates, latest news and industry insights straight into your inbox