This set of security policies is designed to establish a strong security framework for Salted Stone. These policies are intended to safeguard sensitive client data, protect the integrity of our digital assets, and ensure the confidentiality, availability, and integrity of information within our organization.
These security policies apply to all employees, contractors, and third parties who have access to Salted Stone's digital marketing resources, systems, and data.
All data handled by Salted Stone must be classified based on sensitivity. Classification levels include:
- Public Data: Non-sensitive, non-confidential information.
- Internal Data: Sensitive but not confidential information.
- Confidential Data: Highly sensitive and confidential information.
- Data owners must label and classify data appropriately.
- Access controls and permissions should align with the data classification.
Data must be handled with care and follow data protection best practices. We do not handle highly sensitive data such as medical records, customer credit cards, etc.
- Sensitive data should be encrypted in transit and at rest.
- Unauthorized access to data is strictly prohibited.
- Data backups must be regularly performed and tested for recovery.
Remote Work Security
Employees working remotely must follow security protocols to protect data and systems.
- Use secure, company-provided or company-reviewed-and-approved devices for remote work.
- Use secure connections when accessing sensitive company resources.
- Report lost or stolen devices immediately.
User accounts should be created and maintained securely.
- Use strong passwords.
- When applicable, use MFA (multi-factor authentication) for platform access.
- Regularly review and revoke access for employees who no longer require it.
Role-Based Access Control (RBAC)
Access to systems and data should be based on roles and responsibilities.
- Implement RBAC to ensure employees have the least privilege necessary to perform their job functions.
- Regularly review and update access permissions based on job changes.
Authentication and Authorization
Authentication and authorization mechanisms should be robust.
- Implement strong authentication methods, including password policies and MFA.
- Ensure access is granted based on role and documented approvals.
All employees must receive security training on phishing awareness, safe browsing practices, and reporting security incidents.
- Provide security training during onboarding and periodically thereafter.
Incident Response Plan
All incidents must be reported and documented.
Incidents that may be encountered by team members might include:
- Security breaches of websites (most commonly WordPress)
- Discovering a major bug on a live website
- Discovering flaws in a workflow automation
- or discovering that a previously working integration has broken for some reason
- Immediately notify the relevant manager
- Relevant manager to review the incident with any team members that have contextual information.
- If warranted (meaning, a significant incident has occurred that could impact our clients or our own agency), escalation immediately goes to the regional General Manager.
- Client point-of-contact is to be notified immediately after enough information has been gathered to articulate the scenario including:
- What happened
- What the impacts are as we understand them
- What is being done (or, what we recommend should be done if we lack the authority or resources to act unilaterally)
Upon resolution of the incident, a detailed breakdown of the incident timeline, relevant actions, downstream effects, and necessary changes is to be documented and provided to the client and internal stakeholders.
Vendor Security Assessment
Vendors handling sensitive data must meet security standards.
- Conduct security assessments before engaging with vendors.
- Include security requirements in vendor contracts.
Salted Stone employees must comply with all relevant laws and regulations. Employees are also responsible for adhering to regional compliance standards and laws on behalf of our clients - especially in the areas of data privacy (GDPR, CCPA, etc.).
- Regularly review and update policies to ensure compliance.
- Conduct periodic audits to assess compliance.
Reporting Security Incidents
All security incidents must be reported promptly.
- Establish clear reporting procedures for security incidents.
- Encourage employees to report any suspicious activity or security breaches.
Policy Review and Revision
Security policies should be reviewed and updated regularly.
- Conduct policy reviews at least annually.
- Update policies as needed to address emerging threats and technologies.
Non-compliance with security policies may result in disciplinary action.
- Clearly communicate consequences for policy violations.
- Consistently enforce consequences for violations.
Salted Stone is committed to maintaining a secure environment for our clients and our organization. These security policies are essential for protecting sensitive data, maintaining the trust of our clients, and ensuring the continued success of our agency. It is the responsibility of all employees to adhere to these policies and actively contribute to the security culture within our organization.