Information Security Policy

This document describes the information security policy for PR Insights, including confidentiality, availability, safeguarding of data, and more.

Definitions

• Confidentiality: Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. Access is limited by "need-to-know" or "least privilege" principles.
• Integrity: Information is accurate and reliable and has not been changed or tampered with by unauthorized parties.
• Authenticity: The ability to verify content has not changed in an unauthorized manner.
• Non-repudiation & Accountability: The origin of any action on the system can be verified and associated with a user.
• Availability: Information and assets are accessible when needed.
• Disposal: Information is irretrievably destroyed in a secure manner when no longer needed.
• Equipment: All equipment used to store or process information, including computers, servers, and portable devices.
• Information: All data held or recorded electronically or on paper, classified as sensitive by default.
• Physical security: Measures to safeguard equipment and prevent unauthorized access or theft.
• HIDS/NIDS: Host-based and network-based intrusion detection systems for monitoring and alerting on suspicious activity.

Overview

Integrity, confidentiality, and availability of information are maintained through strict access controls, encryption, and secure development practices. Access to data is authenticated and authorized, and anonymized copies are used for lower-tier environments. Credentials are unique per employee and audited. Passwords are rotated and expired regularly.

Safeguarding Data, Applications, and Networks

• All data is hosted in the cloud with providers certified for ISO/IEC 27018, ISO27001, and SOC1/2/3.
• Data is encrypted at rest and in transit.
• CI/CD pipelines are used for secure deployment; only authorized personnel can deploy to production.
• Network traffic is encrypted and peer-to-peer traffic is not allowed in production environments.
• Firewalls, VPNs, and private networks are used to block unauthorized access.

Threats and Protections

• Antivirus software is installed on all personal computers.
• Staff are educated on safe computing practices and password hygiene.
• Cloud provider security systems, HIDS, and NIDS are used to monitor for intrusions.
• All employee computers are encrypted at rest and secured with biometrics or hardware where possible.

Data Classification

• Public: Data with little or no risk if disclosed.
• Internal: Information restricted to personnel with a legitimate reason to access.
• Confidential: Information protected by law, contract, or company policy from unauthorized access or disclosure.