Information Security Policy

Policy Title Information Security Policy
Responsible Executive Chief Technology Officer (CTO)
Contact Chief Technology Officer (CTO)
Effective Date First version: October 21, 2020
Last Update September 18, 2021
  1. Policy Statement

    The purpose of this policy is to provide a security framework that will ensure the protection of Fero’s as well as clients’ Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of the business. The Information may be verbal, digital, and/or hardcopy, individually controlled or shared, stand-alone, or networked, used for administration, research, teaching, or other purposes. Standards and procedures related to this Information Security Policy will be developed and published separately.

    Failure to comply with this policy may subject you to disciplinary action and to potential penalties.

  2. Who Is Affected By This Policy

    The Information Security Policy applies to all Fero staff, as well as to any contractors, partners, vendors, or client representatives acting on behalf of Fero through service on groups such as task forces, project teams, and management committees (for example, the Project Management Office (PMO), or User Research Groups). This policy also applies to all other individuals and entities granted use of Fero and client Information, including, but not limited to, contractors, temporary employees, and volunteers.

  3. Definitions

    Authorization – the function of establishing an individual’s privilege levels to access and/or handle information.

    Availability – ensuring that information is ready and suitable for use.

    Confidentiality – ensuring that information is kept in strict privacy.

    Integrity – ensuring the accuracy, completeness, and consistency of information.

    Unauthorized access – looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.

    Information – information that Fero collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.

  4. Policy

    Fero appropriately secures its information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our business and client needs.

    1. Classification Levels

      All Fero and client Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.

      When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks.

      The classifications levels are:

      1. Restricted

        The following Information is classified as Restricted:

        • Bank Account Details
        • Information on client’s clients
        • Any Personal Identification Information (PII) such as identity cards, driving licenses, Social Security Numbers and Passport details
        • Credit card number
        • Rates, Invoices, or any other such details

        This security policy requires that unauthorized access to any Restricted information must be reported to the clients or any appropriate external agency or agencies. All reporting of this nature to external parties must be done by or in consultation with the Fero and Clients’ senior management.

        Sharing of Restricted information within Fero may be permissible if necessary to meet the Fero and clients’ legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement entities), no Restricted information may be disclosed to parties outside Fero, including contractors, without the proposed recipient’s prior written agreement

        1. to take appropriate measures to safeguard the confidentiality of the Restricted information.
        2. not to disclose the Restricted information to any other party for any purpose absent Fero’s prior written consent or a valid court order or subpoena; and
        3. to notify senior management and client, if appropriate, in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the proposed recipient must abide by the requirements of this policy. Any sharing of Restricted information within Fero must comply with Fero policies including the Privacy policy.
      2. Confidential

        The Information is classified as Confidential if it falls outside the Restricted classification but is not intended to be shared freely within or outside Fero due to its sensitive nature and/or contractual or legal obligations. Examples of Confidential Information include all non-Restricted information contained in personnel files, misconduct, and law enforcement investigation records, Internal financial data, or any other pertinent client information.

        Sharing of Confidential information may be permissible if necessary to meet Fero’s legitimate business needs. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside Fero, the proposed recipient must agree

        1. to take appropriate measures to safeguard the confidentiality of the information:
        2. not to disclose the information to any other party for any purpose absent Fero’s prior written consent or a valid court order or subpoena; and
        3. to notify Fero in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the proposed recipient must abide by the requirements of this policy. Any sharing of Confidential information within Fero must comply with Fero policies including the privacy policy.
      3. Unrestricted Within Fero

        Any Information is classified as Unrestricted Within Fero if it falls outside the Restricted and Confidential classifications but is not intended to be freely shared outside Fero. One example is the clients’ business processes.

        The presumption is that such information will remain within Fero. However, this information may be shared outside of Fero if necessary to meet Fero’s legitimate business needs, and the proposed recipient agrees not to re-disclose the information without the Fero’s consent.

      4. Publicly Available

        The Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of Fero.

    2. Protection, Handling, and Classification of Information

      1. Based on its classification, the Information must be appropriately protected from unauthorized access, loss, and damage.
      2. Handling of the Information from any source other than Fero may require compliance with both this policy and the requirements of the individual or entity that created, provided, or controls the information. If you have concerns about your ability to comply, consult the relevant senior executive.
      3. When deemed appropriate, the level of classification may be increased, or additional security requirements imposed beyond what is required by this Information Security Policy.
  5. Responsibilities

    All Fero employees, consultants, and others granted use of Fero and client Information are expected to:

    • Understand the information classification levels defined in the Information Security Policy.
    • As appropriate, classify the information for which one is responsible accordingly.
    • Access information only as needed to meet legitimate business needs.
    • Not divulge, copy, release, sell, loan, alter or destroy any Informationwithout a valid business purpose and/or authorization.
    • Protect the confidentiality, integrity, and availability of the Information in a manner consistent with the information's classification level and type.
    • Safeguard any physical key, ID card, computer account, or network account that allows one to access Fero or clients’ Information.
    • Discard media containing Fero information in a manner consistent with the information’s classification level, and type. This includes information contained in any hard copydocument (such as a memo or report) or in any electronic, magnetic, or optical storage medium (such as a memory stick, CD, hard disk, magnetic tape, or disk).
    • Contact the CTO, CIO, COO, or CEO prior to disclosing information prior to responding to any litigation or law enforcement subpoenas, court orders, and other information requests from private litigants and government agencies.
    • Contact the appropriate management executives prior to responding to requests for information from regulatory agencies, inspectors, examiners, and/or auditors.
  6. Policy Review

    At a minimum, the Information Security Policy will be reviewed every 24 months.