Sustainable Sourcing Policy
Security Requirements Policy
1. PurposeThe Incodia International Limited (the Company) uses a number of suppliers who provide services and goods. The effective management of these suppliers is essential in the provision of onward services to the Company’s clients and ensuring the security of the Company’s systems and data. The Supplier Information Security Requirements Policy (the Policy) describes control requirements for Suppliers who manage secret or confidential information.
2. ScopeThis Policy applies to all suppliers which process, access, hold or transmit Incodia Protected Data.
3. PrefaceWhilst it is the intention that both new and existing suppliers included in the above scope will be required to comply with this Policy, it is intended that existing suppliers will be assessed on a prioritised basis dealing with the largest and most significant first, ultimately with the aim to cover all. All new Suppliers will be required to comply with the terms of this Policy. Suppliers of non-permanent staff (referred to as freelancers) fall under existing freelance recruitment procedures.
4. OverviewIt is of vital importance to Incodia that its secret and confidential information remains secure and protected at all times. This Policy establishes the minimum standard for information security that should be applied by relevant Suppliers to Incodia on a global basis to protect Incodia resources and data.
5. Definitions“Information Security Incident” means (i) the loss or misuse (by any means) of any Incodia Protected Data; (ii) the inadvertent, unauthorised and/or unlawful processing, corruption, modification, sale, or rental of any Incodia Protected Data; or (iii) any other act or omission that compromises the security, confidentiality or integrity of any Incodia Protected Data. “Information Systems” means all hardware, software, operating systems, database systems, software tools and network components used by or on behalf of Incodia to receive, maintain, process, store, access or transmit Incodia Protected Data. “Incodia Protected Data” means any data or information of or concerning Incodia or its Affiliates or Incodia’s, or Incodia’s Affiliates’, Clients or other recipients of the Services that is provided to or obtained by Supplier or any member of Supplier Personnel in connection with the negotiation and execution of the Agreement or the performance of Supplier’s obligations under the Agreement, including any such data and information that either (i) is created, generated, collected or processed by Supplier Personnel in the performance of Supplier’s obligations under the Agreement, including data processing input and output, Service Level measurements, asset information, reports, third party service and product agreements, and Supplier’s charges to Incodia, or (ii) resides in or is accessed through Incodia’s Information Systems or Supplier’s Information System; as well as any data and information derived from the foregoing. For the avoidance of doubt, Incodia Protected Data includes, but is not limited to, all Incodia Secret and Confidential Information. “Security Questionnaire” means the questionnaire designed to assess Supplier’s information security controls in alignment with industry standards (ISO 27001) that is provided by Incodia and completed by Supplier. “Supplier Personnel” means any and all personnel engaged by or on behalf of Supplier to perform any part of the Services, including employees, freelancers and independent contractors of Supplier and Supplier’s Affiliates.
6. Comprehensive Information Security ProgrammeSupplier warrants and represents, on an on-going basis, that all answers provided by Supplier within the Security Questionnaire are accurate. Supplier shall not materially change any aspect of the Supplier’s operations that would, from the perspective of Incodia, degrade or otherwise materially adversely impact the level of security provided to Incodia Protected Data. Supplier shall reassess against the Security Questionnaire upon the earlier of (a) any material change to any aspect of the Supplier’s operations; or (b) every three years. Where, as a result of any such reassessment, the Supplier’s answers to the Security Questionnaire no longer accurately reflect the Supplier’s operations, the Supplier shall promptly provide an updated Security Questionnaire to Incodia.
7. Remote Access to Incodia Information SystemsWhen remote access to Incodia systems is required, the Supplier will be provided with secure access to an email account, an external cloud-based system and/or an Incodia laptop. Any changes on the supplier personnel accessing Incodia systems need to be notified to Incodia as soon as possible not exceeding 5 working days.
8. Protecting Incodia InformationSupplier shall implement agreed as well as general information security best practices across all supplied components and materials including software, hardware and information to safeguard the confidentiality, availability and integrity of Incodia and its information. When applicable, the Supplier shall provide Incodia with full documentation in relation to the implementation of logical security and shall ensure that it has such security that:
- prevents unauthorised access to Incodia systems,
- detects security breaches and enables quick rectification of any problems and identification of the individuals who obtained access and determination of how they obtained
9. Data EncryptionSupplier will encrypt all Incodia Protected Data when stored on portable devices and media or when transmitted over non-secure communication channels (e.g. internet, email or wireless transmission) including remote connectivity using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and will verify that the encryption keys and any keying material are not stored with any associated data. When transferring Incodia Protected Data and in communications between Incodia and Supplier, Supplier will use secure email, such as enforced Transport Layer Security (TLS), and will implement any network connectivity with Incodia that Supplier is required to provide by Incodia in accordance with any Incodia-approved connectivity standards. In the event that Incodia Protected Data could be transferred to removable media, a mobile device or uncontrolled computer, Supplier will implement, monitor and maintain encryption and information leakage prevention tools using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and will verify that the encryption keys and any keying material are not stored with any associated data. Supplier shall prohibit the transfer of Incodia Protected Data to Supplier mobile devices where the security measures employed on such mobile devices do not meet the requirements of this Section 9 (including, without limitation, where such mobile devices do not support the technologies required to comply with such requirements).
10. Accessa) General Supplier will limit access to Incodia Protected Data to authorised persons or roles, based upon a principle of least privilege which limits all users to the lowest permission levels that they can be assigned to that does not prevent the relevant Supplier Personnel from completing their assigned tasks. Supplier must confirm the identities of all Supplier Personnel using independent, verifiable identity documents (for example, government-issued documents such as a passport or driver’s licence) prior to creating any accounts for Supplier Personnel that will provide access to the Supplier’s Information Systems. Supplier will review all account access and change such access commensurate with role changes. b) Passwords Any passwords issued to a user by an administrator must be reset by the user upon initial use. Where user-initiated password resets are used, the processes that create the temporary password must create secure temporary passwords which cannot be derived from previous passwords (for example, an auto-incrementing system which generates “abc1” followed by “abc2” would not meet this requirement nor would a system which identifiably uses the current date as the basis of password generation), must not reuse passwords and must communicate the temporary password to the user through a channel accessible only to the user. Where Supplier suspects any unauthorised access has occurred to any user account, Supplier shall immediately revoke the password to such user account.
11. Vetting of Supplier PersonnelSupplier shall ensure that any Supplier Personnel who will have: a) physical access to any Incodia site for a period of time sufficient to warrant Incodia providing such Supplier Personnel with an identification badge permitting unescorted access; or b) access to Incodia Protected Data, shall have been the subject of pre-engagement screening in accordance with Attachment A to this Policy.
12. Physical SecurityDepending on the type of services that the Supplier is providing, one of the following (a or b) controls will be required: a) General Supplier shall ensure that Incodia Protected Data is physically secured against unauthorised access, including, but not limited to, by use of appropriate physical safeguards to all areas of the Supplier’s Information System. b) Hosting Where, and to the extent that, Supplier is providing hosting services¹ as part of the Services, it must implement the following controls as a minimum level of physical security:
- All hosting facilities including buildings and infrastructure shall meet the standards set out in ISO/IEC 27001 or such other standards agreed in writing by Incodia following a security risk assessment undertaken by Incodia or an independent third party.
- All Incodia Protected Data processed, accessed, held or transmitted by Supplier will be physically stored in a facility subject to the following security controls:
- authorised access control list requiring a photo ID check to access data centre floor;
- locked server cabinets;
- 24×7 physical intrusion monitoring alarm system
13. Malicious CodeSupplier will not incorporate or introduce or permit or facilitate the incorporation or introduction of Unauthorised Code into the Supplier’s Information Systems nor any Incodia Information Systems. Supplier shall ensure it at all times employs adequate security practices to prevent, detect, mitigate and protect against the introduction of any such Unauthorised Code into the Supplier’s Information Systems in real-time. “Unauthorised Code” is defined as any: (i) computer virus, harmful programmes or data that destroys, erases, damages or otherwise disrupts the normal operation of the Supplier’s Information Systems, allows for unauthorised access to the Supplier’s Information Systems, (ii) worms, trap door, back door, timer, counter, software locks, password checking, CPU serial number checking or time dependency or other such limited routine instruction that is designed to interrupt or limit the proper operation of the Supplier’s Information Systems, (iii) spyware/adware, and (iv) any other similar programme, data or device that is being inserted for an improper purpose.
14. Network SecurityOn reasonable notice or information and during normal working hours, Incodia shall have the right, but not the obligation, to review periodically the Supplier’s and/or Supplier Affiliates’ operations, processes and systems insofar as they relate to the Services for the purpose of monitoring the Supplier’s and/or Supplier Affiliates’ compliance with the terms and conditions of these Information Security Requirements. Such reviews shall not relieve the Supplier and/or Supplier Affiliates from their responsibilities to comply with, and monitor its own compliance with, all terms and conditions of this Policy. Supplier shall implement all recommendations resulting from any such audit having been conducted. Supplier shall maintain and keep up to date the network component inventories, network topology diagrams, data centre diagrams and IP addresses for each network that connects to Incodia Information Systems (and their interconnections), whether supported by the Supplier, any Supplier Affiliate or a third party on Supplier’s behalf, to a standard that meets compliance requirements for all connectivity to the Supplier’s Information Systems from the Internet, to include at least the following:
- ensuring the network perimeter is protected by industry-leading enterprise firewall systems, including (but not limited to): (i) establishing port, protocol and IP address restrictions that limit the inbound/outbound protocols to the minimum required; and (ii) ensuring all inbound traffic is routed to specific and authorised destinations;
- configuring perimeter systems with redundant connections, to ensure there are no single points of failure;
- interrogating communications by monitoring network packets to identify and alert upon or prevent known patterns that are associated with security vulnerabilities or denial of service attacks with regularly updated signatures to generate alerts for known and new threats;
- maintaining and enforcing security procedures in operating the network that are at least: (i) consistent with industry standards for such networks; and (ii) as rigorous as those procedures which are in effect for other similar networks owned or controlled by Supplier;
- maintaining and enforcing operational and security procedures that prevent the provision of network connectivity to third parties where such access would enable the third party to access Incodia Protected Data, or access the Incodia Information Systems should network interconnections between Incodia and Supplier be enabled, without express written permission from Incodia;
- implementing perimeter management controls to ensure, at a minimum, that perimeter systems are configured to be resistant to resource exhaustion (e.g., to denial of service attacks); and
- keeping Incodia Protected Data logically separated from all other Supplier or Supplier customer
15. Security Incident Managementa) General Supplier will implement documented standards / procedures for dealing with suspected and actual security events, incidents and cybercrime attacks against the organisation (the “Incident Management Procedure”) and shall provide Incodia with full details of such Incident Management Procedure upon request. b) Data Security Breach Reporting The Supplier shall notify Incodia of any suspected and actual security events, incidents and cybercrime attacks by emailing Incodia using the DPO email address available on Incodia’s website. Supplier will notify Incodia within six (6) hours of identifying an actual or potential Data Security Breach. c) Data Security Breach In the event of a Data Security Breach, Supplier will:
- take all appropriate corrective action including, solely at the request of Incodia (and at the expense of Supplier where the Data Security Breach save where the Data Security Breach is due to the fault of Incodia), providing notice to all persons whose personal data may have been affected by such Data Security Breach, whether or not such notice is required by Applicable Law; and
- where the Data Security Breach is due to the fault of Supplier, reimburse Incodia (subject to Incodia giving Supplier written notification of such costs together with reasonable supporting information) for all reasonable costs Incodia may incur in connection with remediation efforts, including costs incurred in connection with;
- resolve any Data Security Breach resulting from unauthorised access, including identification of any Incodia Protected Data disclosure, alteration or loss, and notification of Incodia as required under the Incident Management Procedure.
16. ReportingAt Incodia’s discretion and with due regard to the type of service provided, Supplier shall provide the following reports to Incodia at the frequency set out below:
|Service Level Agreement (SLA)
|Metrics which demonstrate achievements on supplier SLAs.
|Joiners, Movers and Leavers
|Report users which need to be added or deleted from Incodia systems.
|Movers and Leavers within 5 days. Joiners – per request
17. IndemnityThe Supplier shall indemnify, defend and hold harmless Incodia and its Affiliates and Incodia’s or its Affiliates Clients and the officers, employees, sub-contractors and agents of any of them against all and any actions, costs, claims, losses, damages, expenses and liabilities of whatever kind made relating to or arising out of the breach by Supplier of the terms of these Information Security Requirements.
18. AuditOn reasonable notice or information and during normal working hours, Incodia shall have the right, but not the obligation, to review periodically the Supplier’s and/or Supplier Affiliates’ operations, processes and systems insofar as they relate to the Services for the purpose of monitoring the Supplier’s and/or Supplier Affiliates’ compliance with the terms and conditions of this Policy. Such reviews shall not relieve the Supplier and/or Supplier Affiliates from their responsibilities to comply with, and monitor its own compliance with, all terms and conditions of this Policy. Supplier shall implement all recommendations resulting from any such audit having been conducted.
1) Screening of Supplier Personnela) Screening Supplier shall perform the pre-engagement screening of Supplier Personnel at the time of hiring the Supplier Personnel in a manner that is consistent with Incodia’s minimum required screening criteria as set forth within this Attachment and as permitted by law in the country of hire. In addition, where permitted by local law, Incodia or its designated agents may perform additional screening relating to identity, criminal record and debarment of any Supplier Personnel. b) Cooperation. Supplier agrees to cooperate with Incodia in connection with such screening by requiring Supplier Personnel to submit information reasonably required to enable Incodia or its agents to identify such personnel and conduct such screening. Should any Supplier Personnel refuse to cooperate with such screening, Supplier shall not use that person to provide the Services unless specifically approved by Incodia. Supplier shall be responsible for maintaining a pool of pre-screened personnel as reasonably necessary to support Supplier’s performance of the Services. c) Minimum Required Screening
- An identity
- Verification of entitlement to employment through the use of work permits or similar documents.
- Verification of pertinent licences including, motor vehicle licences, certifications and operating documents that are required by law or required due to the nature of the position/job description and/or
- Previous employment reference
- Verification of dates of employment claimed for the previous seven (7)
- previous employment with Incodia that was terminated with cause;
- false statements or claims on CV/resume/application forms;
- false or exaggerated educational or professional qualifications;
- inappropriate references from referees or previous employers;
- relevant and/or undisclosed criminal convictions (where are allowed by law);
- unexplained gaps in employment history;
- lack of co-operation by the applicant; or
- exclusion by
Document Classification: Public Version: V2 Approval Date: March 2021
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new customer
Performance of a contract with you
To process and deliver your order including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(b) Asking you to leave a review or take a survey
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, competition or complete a survey
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(e) Marketing and Communications
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(f) Marketing and Communications
Necessary for our legitimate interests (to develop our products/services and grow our business
We will normally keep your personal data for 10 years after your last interaction with us, or our Website. If we consider that you are no longer an active user of our Website or our services we may delete your personal data sooner than this.
We expect to contact you at least every two years to ensure you are still happy to hear from us according to the preferences you have provided to us.
Transfer of your personal data outside of Europe
Some of our Suppliers and Partners are located in regions outside of Europe. If you agree to us providing your details to our Suppliers or Partners, your data may be transferred to the relevant one to satisfy your requirements.
Privacy laws and practice are constantly developing and we aim to meet high standards. Our policies and procedures are, therefore, under continual review. We may, from time to time, update our security and privacy policies. If we want to make any significant changes in how we will use your personal data we will contact you directly and, if required, seek your consent.
We will ensure our Website has our most up to date policy and suggest that you check this page periodically to review our latest version.
Updating and correcting personal data
You may update or correct your personal data by contacting us in writing or by telephone and asking us to do it for you. Please include your name and/or email address when you contact us as this helps us to ensure that we accept amendments only from the correct person.
We encourage you to promptly update your personal data if it changes. If you are providing updates or corrections about another person, we may require you to provide us with proof that you are authorised to provide that information to us.
You have a number of legal rights in respect of your personal data. These include:
- The right to receive a copy of the personal data that we hold about you. We will require proof of identity and proof of authority if the request comes from someone other than the person whose data we are asked to provide. This will ensure we only provide information to the correct person. We normally expect to respond to requests within 28 days of receiving them.
- withdraw consent to direct marketing. You can exercise this right at any time and can update your preferences yourself or ask us to do it for you. See section ‘Updating and correcting your personal data’ above for details.
- withdraw consent to other processing. Where the only legal basis for our processing your personal data is that we have your consent to do so, you may withdraw your consent to that processing at any time and we will have to stop processing your personal data. Please note, this will only affect a new activity and does not mean that processing carried out before you withdrew your consent is unlawful.
- If you consider any of your personal data is inaccurate, you can correct it yourself or ask us to do it for you (see section ‘Updating and correcting your personal data’ above for details).
- In limited circumstances you may be able to require us to restrict our processing of your personal data. For example, if you consider what we hold is inaccurate and we disagree, the processing may be restricted until the accuracy has been verified.
- Where we have no lawful basis for holding onto your personal data you may ask us to delete it.
- In limited circumstances you may be entitled to have the personal data you have provided to us sent electronically to you for you to provide to another organisation.
- to complain to the Information Commissioner’s Office. If you have a concern or complaint we would prefer you to contact us (see the section ‘How to contact us’ above) and we will try to resolve it for you. If you want to make a complaint to the Information Commissioner’s Office, you can find information on how to do this at ico.org.uk.