Purpose and Scope:

This Information Security Policy outlines Simpalm’s commitment to ensuring the security and confidentiality of our clients’ data and information. It applies to all client engagements and interactions involving data and information shared with Simpalm.

Policy Statement:

At Simpalm, we recognize the paramount importance of safeguarding our clients’ data and information. This policy underscores our unwavering dedication to maintaining the highest standards of information security to protect the confidentiality, integrity, and availability of client data.

Definitions:

  • Client Data: Any data or information provided to Simpalm by our clients, including but not limited to project details, business processes, and proprietary information.
  • Confidentiality: The protection of client data from unauthorized access or disclosure.
  • Integrity: The assurance that client data is accurate, reliable, and unaltered.
  • Availability: Ensuring that client data and information are accessible and usable when needed.

    • Our Approach:

    Our comprehensive approach relies on multiple layers of protection, including:

  • Database firewall—Blocks SQL injection and other threats, while evaluating for known vulnerabilities.
  • User rights management—Monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges.
  • Data masking and encryption— Obfuscates sensitive data so it would be useless to the bad actor, even if somehow extracted.
  • Data loss prevention (DLP)— Inspects data in motion, at rest on servers and in cloud storage.
  • Data discovery and classification— Reveals the location, volume, and context of data on premises and in the cloud.
  • Database activity monitoring— Monitors relational databases and data warehouses to generate real-time alerts on policy violations.

    • Data Classification:

  • Client Confidential Data: Data provided by clients that, if disclosed, would cause harm to our clients or Simpalm.
  • Client Sensitive Data: Data provided by clients that, while not as critical as confidential data, still requires protection.
  • Public Data: Data that is publicly available without restrictions.

    • Access Controls:

  • Access to client confidential and sensitive data is restricted to authorized personnel directly involved in the project.
  • Strong authentication mechanisms and password policies are enforced.
  • Access permissions are reviewed and updated regularly based on project roles.
  • Access to client confidential and sensitive data is strictly controlled through role-based access control (RBAC), enforced multi-factor authentication (MFA), stringent password policies, regular access reviews, user activity monitoring, access logs, and encryption to ensure the highest level of data security and compliance.

    • Data Handling and Storage:

  • Data Classification: Client data is categorized based on its sensitivity, and it is handled in accordance with its classification. This ensures that appropriate security measures are applied based on the data’s importance and confidentiality.
  • Secure Storage: We employ secure data storage practices, including data encryption for all confidential and sensitive information. This encryption extends to data at rest, ensuring that even if unauthorized access occurs, the data remains protected.
  • Email and Communication Security: Our email and communication systems strictly adhere to secure transmission standards when exchanging client data. This includes encryption protocols to safeguard the confidentiality and integrity of data during transit.

    • Incident Response:

  • Simpalm has an incident response plan in place to address security breaches involving client data promptly.
  • All project teams are responsible for reporting security incidents involving client data immediately.

    • Third-party Services:

  • Third-party vendors engaged for client projects must adhere to our client information security standards and comply with applicable data protection laws.
  • We conduct security assessments of third-party services used in client projects before engagement.

    • Responsibilities:

  • Project Teams: All project teams are responsible for adhering to this policy and ensuring the secure handling and protection of client data.
  • Development Team: The development team is responsible for implementing and maintaining security controls specific to client data.
  • Management: Management is responsible for setting the overall security posture and ensuring compliance with this policy.

    • Compliance:

  • Simpalm adheres to all relevant data protection laws and industry-specific regulations applicable to client data.
  • Regular security audits and assessments are conducted to ensure compliance and uphold the confidentiality and integrity of client data.