Information Security
This policy sets forth the basics standards for dealing with Personal Information and Confidential Information that must be followed by all directors, officers, employees, and independent contractors of SOUTHWORKS ("SOUTHWORKS Personnel"; "SOUTHIES"; or "we") in our daily work.
The goal of Information Security policy is to protect Personal Information – such as but not limited to name, identification number, location data, social identity, email – and Confidential Information – this includes but is not limited to: source code, hardware and software products, internal line-of-business applications, pre-release marketing materials, product license keys and technical documentations– held or processed by SOUTHWORKS. Data protection is essential for our business and there are many laws and regulations that must be covered to use private data (e.g.: Violations of the European Union’s General Data Protection Regulation (GDPR) can cost 4% of the worldwide revenue).
The contents of this policy are organized as follows:
Table of contents
Table of contents
🔒 Security
🤫 Confidential Information
⚙️ Acceptable Use of Software
✉️ Acceptable Use of Email
🔑 Password Policy
💻 Device Security
🏢 Physical Security
📄 Printing - Working with Hard-Copies
🔐 Privacy
👮 Collection and Monitoring of Personal and Confidential Information
⏲️ Retention of Personal and Confidential Information
🔎 Access to Personal and Confidential Information
💪 Accountability of Personal and Confidential Information
♻️ Personal and Confidential Information Disposal
💬 Disclosure of Personal and Confidential Information to third-parties
👱 Personal Data Protection
👔 Candidate Privacy Policy
🌎 Website Privacy Policy
📋 Information Type
🎨 Information Classification
🎢 Risk Management
⛔ Incident Management
👤 Customer and Additional Requirements
Security
Our Security process establishes a logical, physical and network security to ensure the protection of Personal and Confidential Information. Additionally, a security incident management was established as well as the protection of the backups and critical systems through the disaster recovery plan.
SOUTHIES acknowledge that they have reviewed and understand the 👮👮♀️ Policies and Procedures made available to them by SOUTHWORKS. The also understand that it’s their responsibility to comply with, and implement all policies and procedures included in SOUTHWORKS’ 👮👮♀️ Policies and Procedures documents.
SOUTHIES understand that the failure to comply with the before mentioned 👮👮♀️ Policies and Procedures may be subject to disciplinary actions, up to and including immediate termination. In some cases, a breach of some company policies may also violate an international or local law. In such cases, the individual could also be subject to criminal prosecution.
All SOUTHWORKS personnel must review SOUTHWORKS 👮Policies & Procedures at the time of hiring, and yearly thereafter.
Confidential Information
SOUTHIES are, on occasion, entrusted with SOUTHWORKS confidential information and with the confidential information of SOUTHWORKS suppliers, customers or other business partners. This information may include: (1) technical or scientific information about current and future services or research; (2) business or marketing plans or projections; (3) earnings and other internal financial data; (4) personnel information; (5) supply and customer lists; and (6) other non-public information that, if disclosed, might be of use to competitors, or harmful to SOUTHWORKS' suppliers, customers or other business partners.
All the information described on the previous paragraph is the property of SOUTHWORKS, or the property of its suppliers, customers or business partners, and in m any cases we developed at great expense.
SOUTHWORKS information should be used only for company purposes and should not be disclosed to anyone outside the company. Even within the company, only those individuals who truly need to know the information to conduct their business should have access to confidential information. If you leave SOUTHWORKS, you must return all company materials and property, and any copies.
SOUTHIES shall not take for themselves, or for family members or any other entities which they are affiliated, any opportunity of which they become aware through the use of SOUTHWORKS property or information, or through their position with SOUTHWORKS, and shall not use SOUTHWORKS property or information, or their position with SOUTHWORKS, for personal gain other than actions taken for the overall advancement of the interests of SOUTHWORKS.
It is strictly prohibited to have, process or store any work-related information in any device that is not managed by SOUTHWORKS.
All SOUTHWORKS Personnel, upon commencement of employment with SOUTHWORKS and yearly thereafter, shall review and acknowledge the present 🔐Information Security policy and the 📃Code of Conduct that contain confidentiality provisions provided by SOUTHWORKS. Strict adherence to these confidentiality provisions is required of each SOUTHIE.
Acceptable Use of Software
It is strictly forbidden to install, execute, operate, download or copy any type of program, source code or file that does not have authorization and/or that has no strict connection with the work that is being carried out. Nor may any document or file be arranged by any means, such as, but not limited to, messaging, email, Internet, magnetic media, paper or any medium capable of transmitting information, without prior authorization from SOUTHWORKS. If a SOUTHIE was to transmit any information without the proper authorization, they will be responsible for the later destination or use of that information.
When SOUTHWORKS uses the work product from others, i.e., Software and Source Code, we must also be sure to follow the rules. For example, you should only use software for which you have a valid license and should only use that software in accordance with the terms of the license for that software. Use caution, as not all copyrighted materials bear a notice.
Acceptable Use of Email
For the scope of this policy, email will mean any correspondence, message, file, data or other electronic information that is transmitted to one or more people through a network of interconnection between computers.
Ownership of the email provided by SOUTHWORKS to the worker corresponds to SOUTHWORKS, regardless of the name and access key that are necessary for its use. For that reason, SOUTHWORKS is empowered to control the information that is transmitted by means of said mail and, where appropriate, prohibit its use for personal purposes. The worker consents the right of SOUTHWORKS to control the correct use of the tools, with free access to them, according to the conditions established in this Code of Conduct and in the law.
The exercise of these faculties by SOUTHWORKS as the owner of these rights, as well as the conditions of use and access to electronic work email, are notified in this act and by this means, being both parties duly notified of its content as a prerequisite to the exercise of those faculties.
SOUTHWORKS reserves the right to review the contents of existing folders in any directory of the machine used by the worker, as well as documents and spreadsheets or other types of documents normally used in the workplace, including those received by email.
The worker may only use the services, applications and e-mail programs of the company, solely and exclusively for purposes related to the provision of services established in this contract, and in complete accordance with the provisions of the section "Acceptable Use of Software". Its use for sending or disposing of files, programs, routines, etc. or any other information via email is not allowed unless prior express authorization from SOUTHWORKS.
Password Policy
SOUTHWORKS utilizes Microsoft Azure Active Directory as its primary source of authentication. SOUTHWORKS passwords must comply with the standard requirements set forth in the Password policies and account restrictions in Microsoft Entra ID (formerly Azure Active Directory).
Unless unavailable all SOUTHWORKS Systems must be integrated with Azure Active Directory to support Single Sign-On capabilities, and centralized access control.
When Active Directory Integration is unavailable SOUTHWORKS Personnel must follow the same password guidelines outlined on the Password policies and account restrictions in Microsoft Entra ID (formerly Azure Active Directory ). On these scenarios, Multi-Factor authenticate must be enabled on the target systems.
For ad-hoc password management, SOUTHWORKS Personnel must utilize the Password Management Capabilities available to all SOUTHWORKS Personnel through 1Password.
Passwords must be kept in strict confidentiality. As such, it cannot be written on papers on the desk, attached to the computer monitor or in any visible place. If you suspect that another user may have had access to the password, you must request a password reset immediately, as set forth in the Microsoft Entra ID (formerly Azure Active Directory) Documentation - How password reset works .
All SOUTHWORKS Personnel must configure the screensaver with passwords and activation after five minutes without activity. Before a user leaves the computer it must lock it or activate the screensaver manually, thus preventing unauthorized persons from accessing the information.
It is strictly prohibited to reveal a password, even temporarily, to allow others who work in a project, whether it is a project of their own or of which they are part or have access to. It is strictly forbidden for users to share accounts or allow others to use theirs.
All Microsoft Entra ID (formerly Azure Active Directory) Accounts must have MFA (Multi-Factor Authentication) enabled at the time of creation.
Device Security
All SOUTHWORKS personnel must commit to protect the Equipment provided by SOUTHWORKS by keeping its software up to date and with required security protections activated as specified in P5-1-Technology Infrastructure such as but not limited to Firewalls, Anti-Malware Software, Windows Updates, Encryption (BitLocker), and such.
All devices must be locked when not in use, and kept physically secure and in your view. Utilization of public wireless networks while working with PII, personal or confidential information is strictly prohibited unless you are tunneled through an encrypted-VPN.
Physical Security
All SOUTHWORKS personnel must commit to protect the SOUTHWORKS Premises.
SOUTHWORKS Personnel must not provide any information about SOUTHWORKS premises to external people. This restriction includes but is not limited to information about layout, facilities, purpose, usage schedules, condition, improvements and future plans.
SOUTHWORKS Personnel must not let external people enter or ask external people to come to SOUTHWORKS premises. This includes but it is not limited to food, mail, and other delivery services. However, delivery services can be received in public areas.
Upon leaving the SOUTHWORKS premises all desks must be left clean of any work paper, magazines or brochures when leaving. Pencils or pens, they should be in a drawer or a pencil holder.
Eating on workspaces is strictly prohibited, SOUTHWORKS provides designated areas for that purpose. Beverages, fruits and available snacks are acceptable within SOUTHWORKS workspaces.
All equipment must be left turned off when leaving for the day, and the last person leaving should turn off the light and the A/C, if applicable. Employees must seek the correct and efficient use of energy, which is beneficial for all.
ALL SOUTHWORKS personnel must know how to use the fire extinguisher, the evacuation plan and the meeting point in case of emergency.
Printing - Working with Hard-Copies
Destruction of Waste Copies - If a printer, copier, or fax machine jams or malfunctions when printing SOUTHWORKS Personal and/or Confidential information, the involved user must not leave the machine until all copies of the sensitive information are removed or are no longer legible. All paper copies of sensitive information must be disposed of by shredding or other methods.
Printing/Faxing Precautions - When printing sensitive information, the user must be present at the printer/fax at the time of printing to prevent the information from being revealed to unauthorized parties, or direct the output to a printer inside an area where only authorized SOUTHWORKS Personnel are permitted to go.
Privacy
SOUTHWORKS privacy guidelines ensure its commitment to confidentiality as well as the minimization of the data collection and use. They establish the channels to access and update the Personal Information while ensuring the data quality.
As part of SOUTHWORKS 📃Code of Conduct , SOUTHWORKS Personnel must review and acknowledge their responsibilities when it comes to their commitment to Privacy.
All SOUTHIES are noticed and give their consent to SOUTHWORKS to process its personal information at the time of joining the company by signing the reviewing and acknowledging the SOUTHWORKS 📃Code of Conduct .
Customers are noticed and give their consent to SOUTHWORKS to process its Confidential Information through a signed and valid contract, statement of work, or purchase order containing privacy and security data protection language that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects and the obligations and rights of the customer.
SOUTHWORKS commits to inform customer if any customer instruction infringes applicable law.
All SOUTHWORKS personnel must review SOUTHWORKS 👮Policies & Procedures at the time of hiring, and yearly thereafter.
Collection and Monitoring of Personal and Confidential Information
Only strictly required Personal and Confidential information can be collected and retained as far as it is needed to deliver products and services to the customer and to comply with obligations under applicable law.
SOUTHWORKS does not collect customers’ Personal Information behind its email addresses and names needed for communication purposes but it does collect and monitor employees Personal Information as far as it is required by applicable law, to enable business operations and to benefit the employee, as set forth on the 🛡️Personal Data Protection policy.
SOUTHWORKS needs to process customer’s Confidential Information such as source code or pre-released documents and marketing materials to deliver products and services. To ensure the privacy of Personal and Confidential Information, data handled by SOUTHWORKS must be identified and classified as described on this policy.
SOUTHWORKS will make available all information necessary to demonstrate compliance with the obligations under applicable law and allow for and contribute to audits, including inspections, conducted by customers or other auditors.
Unique Sensitive Personal Information collected by SOUTHWORKS is about its own personnel and because of the aforementioned reasons.
Complains about Personal and Confidential Information must be e-mailed to isp@southworks.com and will be reported by the Compliance Specialist following Incident Management described in P5-1-Technology Infrastructure.
Retention of Personal and Confidential Information
Personal Information at SOUTHWORKS is retained in accordance to the applicable law.
Regarding Confidential Information such as customer’s source code, pre-released documents and marketing information is retained during the project time and the time required for the service support.
Access to Personal and Confidential Information
SOUTHWORKS’s Personnel can access, edit and export their won Personal Information in BambooHR. All Personal Information access should be satisfied through S9-1 BambooHR but just in case a data requirement exceeds Bamboo services, an email can be send to isp@southworks.com .
Accountability of Personal and Confidential Information
SOUTHWORKS Chief Technology Officer is the primary responsible and accountable for Security and Privacy compliance. This is clearly defined in the D7-10 Roles and Position Chart and D7-1 Organizational Chart.
All SOUTHWORKS personnel agree and acknowledge that its' their own responsibility to maintain all their Personal Information up to date within SOUTHWORKS System of Record: S9-1 BambooHR.
Personal and Confidential Information Disposal
Claims for data disposal must be requested through written form sending an email to isp@southworks.com . The email account requesting the data disposal must be associated to a valid contract within SOUTHWORKS CRM. The data will be disposed within 48 hours after checking the request through a second factor and getting a explicit written consent from the requestor.
Disclosure of Personal and Confidential Information to third-parties
SOUTHWORKS does not share customer’s Personal or Confidential Information with third parties. Only required employees’ personal information can be shared and delivered to government organizations as required by Law such as but not limited to ANSES, AFIP, etc. and to private companies such as banks, insurances and report of wages companies, etc. to enable SOUTHWORKS business.
Personal Data Protection
All SOUTHWORKS personnel, understand and consent-freely, expressly and informedly- that, in the course of their professional relationship with SOUTHWORKS, their personal data or other information related to their employment and / or profession, may be collected, processed, stored and / or transferred by SOUTHWORKS, its related companies or through third parties, for administrative, educational, statistical, legal, fiscal, accounting, internal audit, compliance and reporting purposes.
All SOUTHWORKS personnel must review and acknowledge the 🛡️Personal Data Protection policy made available to them at the time of hiring, and yearly there after.
Candidate Privacy Policy
SOUTHWORKS has a specific 👔Candidate Privacy Policy , made available to all applicants through its website, that explains what information we collect about you during the application or recruitment process for employment with SOUTHWORKS, as well as the purposes for which we collect and use that information.
Website Privacy Policy
SOUTHWORKS has a specific 🌎Website Privacy Policy , made available to all users through it websites, that that explains the information collection and use practices of SOUTHWORKS through our website located at southworks.com (the “Site”). This Privacy Policy applies to visitors to the Site, who view only publicly available content (the “Visitors”). By visiting our Site, Visitors are agreeing to the terms of this Privacy Policy.
Information Type
When it comes to Privacy, SOUTHWORKS has its own definition each Information Type as follows:
Information Type
Description
Examples
Personally Identifiable Information (PII)
Any user data that uniquely identifies an individual such as contact information or is commingled or correlated with the individual PII.
Name, address, phone number, e-mail address.
Demographics stored with the individual's PII or with a unique ID that can be linked to the individual's PII.
Sensitive Personal Information
Identifies an individual and could facilitate identity theft or fraud
Is commingled or correlated with PII and used as a credential
Is commingled or correlated with PII and could be used to discriminate or is legally defined as sensitive
Is collected by a system and could hold Sensitive PII
Some government issued ID numbers (e.g., social security number), credit card numbers, and bank account numbers.
Passwords and PINs, biometrics (when used to authenticate), mother's maiden name.
Sexual preference/sexual lifestyle, beliefs (e.g., political, religious, or philosophical), ethnicity and race, trade union membership, medical history or health records, financial information.
Personal Information
Any information that is linked or linkable to a particular person. It is important to resist thinking about privacy and security impacts as only related to PII.
Personal Information includes the Personally Identifiable Information (PII) but it also includes any other information as far as they are linked or linkable to an individual.
Browser history, IP address, location, preferences, photographs, etc.
Confidential Information
Confidential Information is any information which, if compromised through confidentiality or integrity means, can result in significant reputational or financial loss for Southworks or for our customers.
Hardware and software products, internal line-of-business applications, product license keys and technical documentations related to Southworks’ or customer’s products and services.
Information Classification
With regards to privacy, information must be classified in the following classes:
Information Class
Description
Examples
General
Business data not meant for public consumption
Company announcements for employees
Confidential
Sensitive business data that could cause business harm if over-shared
Documentation for tools, services or devices including manual, process, procedures and configuration data
Highly Confidential
Very sensitive business data that would cause business harm if over-shared. An owner is defined in R8-1 Data Catalog for this kind of information.
Authentication credentials, customer payment data, new product design specifications, unreleased marketing plans
Risk Management
All SOUTHIES must balance threats against their direct and indirect costs to SOUTHWORKS. We understand that SOUTHWORKS Personnel will typically be directed against highest impact and highest priority threats. These solutions and/or mitigations may reduce the vulnerabilities, reduce the costs, or both. Remaining threats may be either accepted by business decision makers, balanced with insurance or avoided by staying clear of the activity and its associated risks.
Risks must be registered and managed following the procedure A7-6 Risks and Opportunities Management. Risks are reviewed at least quarterly as it is indicated in the aforementioned procedure.
Incident Management
Security and Privacy incidents can be reported from inside or outside de company (e.g.: customers, interested parties, etc.) In any case, the detected incidents must be reported immediately by sending an email to isp@southworks.com (this will automatically create a ticket in https://swrks.co/help-desk system). It is considered a serious fault if an employee, vendor or any person performing any tasks on behalf of SOUTHWORKS delays or avoids reporting a detected Security or Privacy incident. Emails sent to this email account are received by the Chief Technology Officer (responsible for the Security and Privacy) and the Compliance Specialist.
Once an incident is reported to the isp@southworks.com email account, the Slack Help Desk will forward the email to the Compliance Specialist and it will automatically log it into the https://swrks.co/help-desk system so the person in charge of Security and Privacy manages the incident as per specified in the D8-3 Incident Response Policy . All reported incidents will be addressed within 48 hours since received.
In case the reported incident affects a customer, the incident and any foregoing investigation or action to remediate must be promptly communicated to the customer.
For further information see P5-1-Technology Infrastructure.
Customer and Additional Requirements
SOUTHWORKS is committed to full compliance with the laws, rules, and regulations of the countries in which it operates. All SOUTHWORKS personnel must comply with applicable laws, rules, and regulations while performing their duties. If any conflict arises between the SOUTHWORKS Security Policy and a specific customer requirement, applicable law, rule, or regulation, a ticket should be submitted through https://swrks.co/help-desk .
The policies stated herein do not comprehensively cover all laws that apply to SOUTHWORKS personnel in every jurisdiction. SOUTHWORKS maintains a strong commitment to meeting specific customer-imposed standards, understanding that the guidelines outlined in this policy may not fully satisfy all customer requirements. Therefore, all SOUTHWORKS personnel are required to review, understand, and adhere to additional privacy and security guidelines specific to each customer engagement.
In alignment with Microsoft’s Supplier Security and Privacy Assurance (SSPA) framework, SOUTHWORKS has implemented an 👮♂️Information Security Policy for Microsoft Subprocessor Engagements . This policy addresses requirements for Microsoft engagements where SOUTHWORKS acts as a Subprocessor, detailing obligations for data protection agreements, processing instructions, privacy notices, data subject rights, and security protocols necessary to protect Microsoft Personal Data.
Hence, additional Privacy and Security guidelines must be read and understood by all SOUTHWORKS personnel as per specific customer requirements:
Any waiver or exception to this Information Security Policy requires prior written approval from the Chief Technology Officer. Where required by law, such waivers will be promptly disclosed in accordance with legal requirements.
The Information Security Policy discussed herein may be amended from time to time.