Data Security Policy
Last updated: 8 October 2024
Introduction
This Data Security Policy outlines the measures Fynbos takes to protect the confidentiality, integrity, and availability of the data we collect, store, and process. This policy applies to all employees, contractors, and third-party partners of Fynbos.
Objectives
Protect sensitive information from unauthorised access and disclosure.
Ensure the integrity of data and systems.
Comply with applicable laws and regulations regarding data security.
Foster a culture of security awareness within Fynbos.
Scope
This policy covers all data, systems, and networks owned or operated by Fynbos, including:
- Personal data of users and employees.
- Financial data and records.
- Intellectual property and proprietary information.
- Any other confidential or sensitive information.
Data Classification
Data is classified into the following categories:
- Public: Information intended for public disclosure.
- Internal: Information intended for internal use only.
- Sensitive: Information that, if disclosed, could harm Fynbos or its stakeholders.
Access Control
Access to data is granted on a need-to-know basis.
Employees must use strong, unique passwords and multi-factor authentication.
Access rights are reviewed periodically to ensure compliance with this policy.
Data Protection Measures
- Encryption: All sensitive data must be encrypted both in transit and at rest.
- Backups: Regular backups of all data must be conducted and stored securely.
- Network Security: Firewalls, antivirus software, and intrusion detection systems must be used to protect the network.
- Physical Security: Access to physical locations where data is stored must be restricted to authorised personnel.
Data Handling and Storage
Data must be stored in secure locations with appropriate access controls.
Sensitive data should not be stored on portable devices unless encrypted.
Data retention policies must be followed to ensure data is not kept longer than necessary.
Incident Response
All employees must report any suspected data breaches or security incidents immediately.
An incident response plan must be in place to address and mitigate the impact of data breaches.
Post-incident reviews must be conducted to prevent future occurrences.
Training and Awareness
All employees must undergo regular training on data security best practices.
Awareness programs must be conducted to keep employees informed about the latest security threats and how to handle them.
Compliance and Monitoring
Regular audits and assessments must be conducted to ensure compliance with this policy.
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment.
Review and Updates
This policy will be reviewed annually and updated as necessary to reflect changes in laws, regulations, and business practices.