This policy outlines Kongo's commitment to protecting client data, including intellectual property (IP), personally identifiable information (PII) of customers and staff, and other sensitive assets during the CRM implementation process.
Scope
This policy applies to all employees, contractors, and third-party vendors involved in handling client data for CRM implementations.
Policy Elements
Data Classification:
- Client data will be classified based on sensitivity (e.g., Confidential, Internal, Public).
- Appropriate security measures will be applied corresponding to the classification level.
Access Controls:
- Access to client data will be restricted on a need-to-know basis, using the principle of least privilege.
- Strong authentication mechanisms (e.g., multi-factor authentication) is used.
- User access will be regularly reviewed and revoked when no longer needed.
Encryption:
- Any client data subject to integration middleware will be encrypted in transit and at rest, using industry-standards.
- Encryption keys will be securely managed and protected.
Network Security:
- Firewalls, intrusion detection/prevention systems, and network segmentation will be used to protect client data.
- Regular vulnerability scans and penetration testing will be conducted.
Physical Security:
- Client data is never stored on physical devices
Incident Response:
- A comprehensive incident response plan will be in place to address potential security breaches.
- Breaches will be promptly reported, investigated, and corrective actions will be taken.
Training and Awareness:
- Employees will receive regular security awareness training on data protection procedures.
Compliance:
- Kongo will maintain awareness of and comply with relevant data privacy regulations (e.g., region-specific regulations like GDPR, Australian Privacy Principles).