1.1 Purpose and Scope
The purpose of this Security Management Policy is to establish guidelines and procedures to ensure the confidentiality, integrity, and availability of information assets at LightCastle Partners Limited. This policy applies to all employees, contractors, and third-party entities with access to LightCastle’s information systems.
1.2 Information Security Objectives
- Protect the confidentiality of sensitive information
- Ensure the integrity of data and information
- Guarantee the availability of information systems
- Comply with legal and regulatory requirements
- Safeguard the reputation and trust of LightCastle Partners Limited
- Minimize the risk of security breaches and incidents
1.3 Information We Collect and How We Use
- Primary Data Collection: Our company gathers data directly from the field, varying sample sizes based on project and market research requirements. Depending on the need, we may collect confidential personal and business operational information, such as names, addresses, phone numbers, NID, pictures, business models, profits, sales, loan details, contracts, and financial data. We always obtain verbal consent before collecting such confidential information.
- Email Communications: If anybody sends us an email with questions or comments, we may use their personally identifiable information to respond to their questions or comments, and we may save their questions or comments for future reference. For security reasons, we do not recommend to send non-public personal information, such as passwords, social security numbers, or bank account information, to us by email. However, aside from our reply to such an email, it is not our standard practice to send anybody an email unless they ask particular questions, request project support, or apply for our vacancies, In certain instances, we may provide with the option to set their preferences for receiving email communications from us; that is, agree to some communications but not others.
- Transfer of Assets: As we continue to develop our business, we may sell or purchase assets. If another entity acquires us or all (or substantially all) of our assets, the personally identifiable information and non-personal information we have about you will be transferred to and used by this acquiring entity. Also, if any bankruptcy or reorganization proceeding is brought by or against us, all such information may be considered an asset of ours and as such may be sold or transferred to third parties.
- Other: Notwithstanding anything herein to the contrary, we reserve the right to disclose any personally identifiable information or non-personal information about you if we are required to do so by law, concerning copyright or other intellectual property infringement claims, or if we believe that such action is necessary to: (a) fulfill a government request; (b) conform with the requirements of the law or legal process; (c) protect or defend our legal rights or property, our Website, or other users; or (d) in an emergency to protect the health and safety of our Website’s users or the general public.
1.4 Actions We Take While Collecting Personal Data
Taking consent: Before collecting any personal or confidential information, obtaining written consent from the data provider is imperative. A commitment is made to refrain from sharing or selling the collected data to any third party for personal gain. In instances where collaboration with a third party is necessary, explicit consent is sought. This entails informing the data provider about the specific organization with which the information is intended to be shared and obtaining acknowledgment that the data provider bears no obligations to the said third party.
Provide clear consent wording: We as an organization are obligated to use clear, non-legalese language that allows the person to provide unambiguous consent. Mostly, our company gathers primary data from the field. Ensuring the security of this information is our responsibility, and it’s crucial to communicate these details clearly using simple language.
Caution: We have implemented security measures we consider reasonable and appropriate to protect against the loss, misuse, and alteration of the information under our control. Please be advised, however, that while we strive to protect your personally identifiable information and privacy, we cannot guarantee or warrant the security of any information you disclose or transmit to us online and are not responsible for the theft, destruction, or inadvertent disclosure of your personally identifiable information.
1.5 Security Management Policy
- Access Control: User access rights will be granted based on the principle of least privilege. Access to sensitive information will be restricted and monitored. User account management will follow strict procedures, including timely deactivation of accounts; this Security Management Policy will be reviewed annually or as needed to ensure its relevance and effectiveness. All employees are responsible for adhering to the policies and reporting any security concerns promptly to [email protected].
- Password Management Policy: At LightCastle Partners, we enforce a robust password management policy to safeguard our platforms, applications, and databases. All passwords must be at least 10 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters. Passwords should be unique and not reused across different accounts, with mandatory changes every 90 days. Multi-factor authentication (MFA) is required to access sensitive systems. Users must protect their passwords, avoid sharing them, and change them immediately if compromised. Accounts will be locked after five failed login attempts, and password reset requests must be verified by the Digital Transformation team. Users are responsible for creating, managing, and protecting their passwords; the tech team (Digital Transformation) enforces the policy and provides support; and management ensures all the members understand and comply with this policy.
- Data Retention: At LightCastle Partners Management Consulting Firm, we adhere to a stringent data retention policy to ensure the security and confidentiality of our data. All data, including pictures, videos, and reports, will be retained only as long as necessary to fulfill its intended purpose or support our business operations. Users are responsible for adhering to data retention schedules and managing data accordingly. Data will have a defined validity period, after which it can be restored, retained, or securely archived as necessary. Regular backups of critical data will be performed, and the integrity and effectiveness of these backups will be tested periodically. The impact of changes on security will be assessed, and necessary security measures will be implemented.
- Data Destruction: To ensure the complete and irreversible elimination of data no longer needed, we adhere to a stringent data destruction policy. Sensitive data will be regularly reviewed and securely deleted using industry-standard methods. After specific deadlines, users can delete or destroy certain files, data, and records to manage storage. Upon an employee’s exit, they must transfer all data, files, and document ownership to complete the full cycle of their employment. This includes the revocation of access rights, retrieval of company property such as documents, company email, business cards, ID cards, company data, and verification of the return of any sensitive information, which will be destroyed. Essential data may be securely archived and transferred to senior management before the associated email account is permanently deleted. Compliance with this policy is mandatory, and violations may result in disciplinary action.
- Physical Security: Physical access to data centers, server rooms, and other critical infrastructure will be restricted and monitored. Surveillance cameras and access control systems will be deployed in sensitive areas.
- Security Awareness Training: All employees will receive regular training on security best practices, policies, and procedures to ensure a high level of security awareness. The effectiveness of the security training and awareness program will be periodically evaluated through assessments and feedback from employees.
- Compliance: LightCastle Partners Limited will comply with relevant legal and regulatory requirements related to information security. Regular audits and assessments will be conducted to ensure compliance.
- Enforcement: Violations of this Security Management Policy may result in disciplinary action, including but not limited to reprimands, suspension, termination, and legal action, as deemed appropriate.
- Policy Distribution: This policy will be distributed to all employees and contractors and will be made available on the company’s intranet.
- Third-Party Security: Third-party which include photographers, banks, legal teams, PR consultants, and any other required partners or freelancers based on projects with access to LightCastle’s systems will be required to adhere to security standards and undergo periodic security assessments. Contracts with third parties will include security clauses and requirements.
- Security Incident Reporting: Incident management policy ensures swift and effective resolution of security incidents to protect our operations and data. All employees are required to report any suspected or confirmed security incidents promptly to [email protected]. The Digital Transformation team will be designated and trained to effectively handle security incidents, ensuring proper documentation and record-keeping upon completion.
- Disaster Recovery: Our disaster recovery policy ensures rapid and efficient restoration of operations following any disruptive events. All critical systems and data are regularly backed up and stored securely. In the event of a disaster, Digital Transformation recovery teams will follow predefined procedures to restore functionality and minimize downtime. Regular testing of disaster recovery plans ensures their effectiveness and identifies areas for improvement. Teams are trained on their roles in disaster recovery, and clear communication channels are maintained to provide updates throughout the recovery process. Regulatory requirements guide our disaster recovery efforts, ensuring data integrity and business continuity.
- Social Engineering Awareness: Employees will receive training on recognizing and preventing social engineering attacks, such as phishing and pretexting. Simulated phishing exercises may be conducted periodically to assess and improve employee awareness.
- Emerging Threats and Technology Monitoring: The Digital Transformation team will stay informed about emerging threats and technological advancements to proactively address new security challenges. Security controls will be updated to mitigate risks associated with evolving threats. Regular monthly quality check is required.
- Privacy Protection and Confidentiality: LightCastle is bound to maintain the confidentiality, integrity, and availability of information, with a focus on the specific nuances of the Bangladeshi landscape. We are committed to protecting the privacy of individuals and will comply with applicable data protection laws and regulations. Privacy impact assessments will be conducted for new projects involving personal information.
- Collaboration with Law Enforcement: In the event of a security incident, LightCastle Partners Limited will collaborate with law enforcement agencies as necessary to investigate and resolve the incident.
- Cloud Security: Security measures will be implemented to protect data stored in cloud environments, including the use of encryption, access controls, and regular security assessments.
- Environmental Controls: Measures will be implemented to safeguard information systems and data against environmental threats such as fire, flood, and other natural disasters.
- Safety Security: In the event of political turmoil or extraordinary circumstances such as strikes, blockades, rallies, etc., individuals are permitted to work remotely. In the event of any issues arising in the field or requiring damage control, decisions will be made by senior management on a case-by-case basis.
- Data Protection and Privacy: LightCastle Partners Limited recognizes the importance of protecting personal information and will comply with the provisions of the Bangladesh Data Protection Act. Any processing of personal data will be conducted in accordance with the principles and requirements outlined in the applicable data protection laws of Bangladesh. The disclosure of personal data for any purposes other than work-related activities is strictly prohibited. Personal/ official data is to be utilized solely for work-related purposes.
- Reporting of Security Incidents to Authorities: In the event of a security incident that involves a breach of personal information, LightCastle Partners Limited will adhere to reporting requirements stipulated to relevant authorities.
- Cross-Border Data Transfer Compliance: This will be conducted by the regulations set forth by the Bangladesh Data Protection Act, ensuring that data subjects’ rights are protected during international data transfers.
- Client Rights Protection: LightCastle Partners Limited will respect and protect the rights of clients/ stakeholders, particularly concerning the security and privacy of consumer data.