Version 1.0
Prepared by: @Lorraine Sebata
Approved by: @Lorraine Sebata
Reviewed date: 2025-07-25
Next review date: 2026-07-24
This policy applies to all employees, contractors, third-party agents, and any other individuals with access to Easyterms's IT systems, networks, applications, and data.
This Data Security Policy outlines Easyterms's commitment to protecting the confidentiality, integrity, and availability of its information technology (IT) systems and data. The purpose of this policy is to establish a framework for managing security risks, ensuring compliance with regulatory requirements, and safeguarding all information assets from unauthorized access, use, disclosure, disruption, modification, or destruction.
This policy applies to all employees, contractors, third-party agents, and any other individuals with access to Easyterms's IT systems, networks, applications, and data. It covers all company-owned or managed hardware and software, as well as any personally-owned devices used for business purposes (Bring Your Own Device - BYOD).
All information assets shall be classified based on their sensitivity and criticality. This classification will determine the level of security controls required to protect them. Classifications may include:
Confidential: Data that, if disclosed, would cause significant harm (e.g., client financial records, cardholder data, business strategies).
Internal Use Only: Data that is not intended for public release.
Public: Data that is authorized for public disclosure.
Access to IT systems and data shall be granted based on the principle of least privilege, meaning employees will only have access to the information and systems necessary to perform their job duties. This principle is especially critical for systems handling confidential data like cardholder information. Access rights shall be reviewed and updated regularly, and terminated employees' access will be revoked immediately upon departure.
All users shall be required to use strong, unique passwords for all company IT systems. Password policies will include requirements for minimum length, complexity (e.g., use of uppercase, lowercase, numbers, special characters), and regular password changes. Multi-factor authentication (MFA) shall be implemented for all critical systems.
The company's network shall be protected by firewalls, intrusion detection systems, and other security measures. Wireless networks will be secured with strong encryption. Regular vulnerability scanning and penetration testing shall be conducted to identify and address security weaknesses.
All company-owned devices (e.g., computers, laptops, mobile phones) shall be protected with up-to-date antivirus software, firewalls, and regular security patches. Unauthorized software installation is prohibited.
Sensitive data, both at rest (stored on devices or servers) and in transit (sent over networks), shall be encrypted using industry-standard protocols to prevent unauthorized interception or access. This is a critical requirement for protecting all confidential data, including cardholder data.
A formal Incident Response Plan shall be maintained and tested regularly. This plan will define the procedures for identifying, containing, eradicating, and recovering from security incidents (e.g., data breaches, malware attacks). All employees are responsible for reporting any suspected security incidents immediately.
All remote access to the company's network and systems must be secured using a Virtual Private Network (VPN) or other approved secure methods. All remote access activities shall be logged and monitored.
All employees shall receive regular and mandatory training on IT security best practices, including recognizing phishing attempts, safe browsing habits, and their responsibilities under this policy. Training will also cover the specific requirements of PCI DSS for all personnel involved in handling cardholder data.
Easyterms is committed to maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS). This includes, but is not limited to:
Protecting all cardholder data with robust security measures.
Building and maintaining a secure network.
Protecting cardholder data.
Maintaining a vulnerability management program.
Implementing strong access control measures.
Regularly monitoring and testing networks.
Maintaining an information security policy.
Board of Directors / Senior Management: Overall responsibility for approving and overseeing the IT Data Security Policy, ensuring adequate resources are allocated, and promoting a culture of security awareness.
IT Department: Responsible for implementing, maintaining, and monitoring all technical security controls, managing the Incident Response Plan, and providing security training and support. The IT department is specifically responsible for implementing the technical requirements of PCI DSS.
Compliance Department: Responsible for ensuring that the IT Data Security Policy and its procedures comply with all relevant legal and regulatory requirements, including PCI DSS.
All Employees: Responsible for adhering to this policy, protecting company data and IT assets, and reporting any security vulnerabilities or incidents. This includes following all procedures related to the secure handling of cardholder data.
This policy will be reviewed at least annually, or more frequently if there are significant changes in technology, security threats, or legal and regulatory requirements. This review will specifically consider any updates to PCI DSS standards.