Information Security Policy.

Purpose

The purpose of this policy is to ensure the protection of client intellectual property (IP) entrusted to Fiddlie. It aims to prevent unauthorised access, use, or disclosure of client IP, thereby maintaining client trust and complying with legal obligations.

Scope

This policy applies to all employees, contractors, and third parties who have access to client IP within Fiddlie's operational purview. It covers all forms of client IP, whether digital, physical, or intellectual.

Policy Elements

Data Classification and Handling

This section mandates that all client IP must undergo a rigorous classification process upon receipt or creation. The classification levels - Confidential, Restricted, and Public - are determined based on the sensitivity of the information and the potential impact of unauthorised disclosure on both the client and Fiddlie

Once classified, the handling of client IP is governed by strict access control measures. Access is granted solely on the basis of necessity, ensuring that only employees, contractors, or third parties whose roles require engagement with specific IP segments can access them. This principle of least privilege minimises the risk of internal and external breaches.

Encryption plays a critical role in the protection of digital IP. All digital client IP, without exception, is encrypted both during transit across networks and when at rest in storage. This use of industry-standard encryption protocols ensures that even in the event of unauthorised access, the information remains unintelligible and secure.

The classification and handling processes are not static; they are subject to ongoing review and adjustment in response to changes in the threat landscape, technological advancements, and client requirements.

Physical Security

Fiddlie’s entire premises are designated as a secure zone, where physical access is strictly controlled through mechanisms such as key card access systems, locks, and surveillance cameras. These measures ensure that only authorised personnel can enter areas where sensitive IP is stored or processed.

The management of documents containing client IP follows a stringent set of procedures. These include protocols for the secure printing, copying, and distribution of sensitive materials, ensuring that such activities are monitored and logged to prevent unauthorised access or duplication. The disposal of documents is equally critical; shredding or other forms of secure destruction are employed to prevent recovery and misuse of discarded materials.

These practices are part of a broader commitment to physical security, which also includes regular audits of secure areas and the training of staff to be vigilant against potential breaches.

Digital Security

The cornerstone of this strategy is a robust network security infrastructure, comprising advanced firewalls and intrusion detection and prevention systems (IDPS). These technologies are essential for defending against both external attacks and potential internal security breaches. Fiddlie maintains a secure network architecture that segregates sensitive client IP data from less sensitive information, thereby minimising the risk of unauthorised access.

Application security is another critical component of our digital security strategy. Fiddlie employs rigorous security practices throughout the software development lifecycle to ensure that applications handling client IP are secure by design. This includes regular vulnerability assessments to identify and remediate potential security weaknesses before they can be exploited. Code reviews are conducted by security experts who scrutinise the application code for security flaws and ensure adherence to secure coding standards.

Together, these measures create a multi-layered defence strategy that protects client intellectual property from digital threats.

Employee Training and Awareness

Employees, contractors, and third parties associated with Fiddlie are the first line of defence against threats to client intellectual property. Therefore, comprehensive training programs are essential, not only upon initial employment but also through regular, ongoing education sessions. These sessions are designed to keep all staff updated on the latest security protocols, potential threat vectors, and the importance of safeguarding client IP.

Regular training ensures that employees understand the various forms of intellectual property they may encounter, the potential risks associated with mishandling IP, and the specific procedures Fiddlie has implemented to prevent such breaches. This includes familiarising staff with the legal and contractual ramifications of IP theft or negligence, both for them personally and for the company.

Awareness programs complement these training sessions by integrating IP protection into the company culture. Through newsletters, intranet updates, posters, and regular meetings, employees are constantly reminded of their roles and responsibilities in protecting client assets. These communications highlight recent security incidents within the industry, share best practices, and provide updates on policy or procedural changes within Fiddlie

Moreover, to encourage a proactive security posture, Fiddlie implements an open-door policy for reporting potential security threats or vulnerabilities, with assurances that reports will be treated confidentially and without reprisal. This approach fosters an environment where security is everyone's responsibility, encouraging vigilance and prompt reporting of any suspicious activity.

Incident Response and Reporting

This approach involves the immediate activation of a set of procedures designed to address and resolve any security threats swiftly.

Upon the identification of a potential security incident, these procedures kick into action, starting with a rapid assessment to gauge the incident's scope and its potential impact on client IP. This is followed by efforts to contain the threat, preventing further damage or loss of data. Subsequently, steps are taken to eliminate the root cause of the incident and to restore any affected systems or data to their original state. A thorough investigation is also undertaken to understand the incident's cause fully, evaluate the response's effectiveness, and derive lessons to avert similar incidents in the future.

Fiddlie has established clear and accessible mechanisms for the reporting of potential security incidents, emphasising the importance of prompt reporting by all employees. To facilitate this, multiple reporting channels are made available, allowing for both anonymous and identified reporting, thereby ensuring that employees can report incidents without fear of reprisal.

Following the containment and resolution of a security incident, a comprehensive review is conducted. This review encompasses a detailed analysis of the incident, including the sequence of events, the impact on client intellectual property, the corrective actions taken, and recommendations for future preventive measures. This report is then shared with senior management and pertinent stakeholders, fostering an environment of transparency and continuous improvement.

Regular reviews and updates to these procedures ensure that Fiddlie's approach to incident response and reporting remains effective and aligned with evolving security threats.

Compliance and Legal Obligations

Fiddlie pledges adherence to all relevant laws, regulations, and standards that govern the protection of intellectual property. This commitment not only encompasses compliance with national and international IP laws but also extends to industry-specific regulations that might impact the handling of client IP. The company ensures that all contractual agreements with clients, contractors, and third-party service providers contain explicit clauses designed to safeguard IP. These clauses detail the responsibilities of each party in protecting IP, outline the measures to be taken in the event of a breach, and specify the consequences of failing to uphold these obligations. Fiddlie actively monitors regulatory developments to ensure its policies remain in compliance with the latest legal requirements. Additionally, the company engages in regular audits of its practices and procedures to identify potential areas of non-compliance and to implement corrective actions promptly.

This comprehensive approach to compliance and legal obligations underscores Fiddlie's dedication to maintaining the highest standards of IP protection for its clients.

Policy Review and Updates

This policy is reviewed annually or following significant changes to the operational environment or relevant legislation. Amendments are made as necessary to ensure the ongoing protection of client IP.

Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment, legal action, and financial liability.