Data Security Policy
1. Purpose
To ensure all customer information from the Mobile Operator is protected, kept confidential, and used only for approved work.
2. Scope
This policy applies to all staff within the company, subcontractor staff, systems, devices, and processes that access or handle customer information.
3. Key Principles
Confidentiality
All classified data must be accessed only by those authorized to access it. Unauthorized access must be prevented.
Integrity
All data must remain complete, accurate, consistent and useful. Unauthorized modification of data must be prevented.
Availability
Data must be accessible and usable by those authorized to access it without undue delay or interruption.
4. Access Control
- ✦Access to customer data is granted only on a need-to-know basis.
- ✦Use individual accounts, not shared logins.
- ✦Multi-factor authentication (MFA) must be used for system access.
- ✦Access is removed immediately when staff leave the project or company.
5. Data Handling Requirements
- ✦Customer data is classified as Confidential.
- ✦Store data only in approved systems; never on personal devices or unencrypted media.
- ✦Encrypt data in transit (TLS 1.2+) and at rest (AES-256).
- ✦Do not copy or transfer data without written approval from the Operator.
6. Software Development Practices
- ✦Follow secure coding practices (e.g., OWASP).
- ✦Use test data or anonymized data; real customer data only when approved.
- ✦Perform security reviews before releasing software.
7. Incident Reporting
- ✦Any data breach, loss, or suspected unauthorized access must be reported to the Operator within 24 hours.
- ✦Subcontractor must support investigations and take corrective action promptly.
8. Data Retention & Disposal
- ✦Keep customer information only for the period approved by the Operator.
- ✦Securely delete or destroy data when it is no longer needed.
9. Physical Security
- ✦Lock devices, protect office spaces, and store any printed documents securely.
- ✦Shred printed materials immediately after use.
10. Compliance
- ✦All staff must complete security awareness training.
- ✦All staff must read, understand this policy and sign that they have read and understood the same.
- ✦The Operator may audit compliance at any time.
- ✦Non-compliance may result in disciplinary action or contract termination.
