.jpeg)
Insights
Capabilities
Conferences
3. Purpose
This policy establishes the framework for protecting the confidentiality, integrity, and availability of the QS’s data & IT systems and outlines the responsibilities, procedures, and controls necessary to safeguard information from unauthorized access, disclosure, alteration, and destruction.
The purpose of this policy is to ensure that all QS employees, contractors, and third-party users understand and adhere to best practices in information security, in compliance with applicable laws, regulations, and industry standards.
The structural elements of this policy:
· Scope and Purpose: Clearly define the scope of the ISMS& PIMS
· Information & Privacy security management system objectives such as such as confidentiality, integrity, and availability of information
· Roles and responsibilities to identify key stakeholders and define their responsibilities in maintaining security.
· Change Management & Risk Assessment: Identify and assess potential risks and threats that could disrupt business operations, and the changes recently made should have the traceability.
· Communication Plan: Establish a comprehensive communication plan to ensure timely and accurate communication with employees, customers, suppliers, and other stakeholders
4. Scope
This document is applicable to all locations where Institutional Performance (QSIP MoveON & MoveIN), Student Recruitment (QSSR) and Employability Management (QSEM 1Mentor)services are provided. It is applicable to QS staff – part time, full time, and contractors, (referred as “Employees “). It also applies to all the vendors who are helping QS critical business.
Developed information and privacy security policies & procedures conforms to information & privacy security best practices and are applicable within the entire QS.
5. Information & Privacy Security Policy
Information& privacy security policy outlines the QS approach to Information &Privacy Security Management System (ISMS & PIMS). It provides the guiding principles and responsibilities necessary to safeguard the security &privacy of the QS information systems.
QS ISMS & PIMS Policy
We, at QS shall continuously strive to enhance competitiveness of our customers with a range of value-added products and provide world class support to the Institutions at large by adopting a process approach to excellence.
This shall be enabled by implementing an Information & Privacy Security Management System (IPSMS), with the involvement of relevant stakeholders for:
- Ensuring enhanced customer experience & meeting applicable requirements
- Proactively protecting & ensuring security & privacy of PII (Personally Identifiable Information) data and information assets
- Fulfilling compliance obligations to applicable country specific privacy laws and regulations
- Ensuring information security & privacy through design, risk management, change management & applicable controls
- Cascading information security and privacy requirements to Suppliers thereby ensuring the customer value chain is compliant.
- Continually improving the information management system and processes.
QS is committed to a robust implementation of Information &Privacy Security Management. It aims to ensure the appropriate confidentiality, integrity, availability of data and protection of privacy as potentially affected by the processing of PII (Personally Identifiable Information).
The principles defined in this policy will be applied to all the physical and electronic information assets for which the QS is responsible. QS is specifically committed to protection of privacy while processing PII (Personally Identifiable Information), preserving the confidentiality, integrity, and availability of documentation and data supplied by, generated by, and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security and privacy standard ISO27001 & ISO 27701 and applicable country specific legal/regulatory compliance requirements, specifically GDPR (EU 2016/679).
This policy may be supplemented with additional specific policies in relation to commercial offers when appropriate. Country Specific data protection requirements including GDPR requirements e.g., Data Processing Agreements (Art.28), Technical and Organization Measures (Art.28& 32), Inventory of data processing (including protection of privacy as potentially affected by the processing of PII (Personally Identifiable Information)) and Data Flow Diagrams ), Transfer Impact Assessment (Art.46 Chapter V), EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Data Protection Impact Assessment (Art.35), Records of processing activities (Art. 30) etc. shall be ensured through ISMS & PIMS procedures and controls, as per the Statement of Applicability.
5.1. Approval
The Information and privacy security policy have been developed by compliance team, process owners, reviewed & approved by management & CISO (Chief Information Security Officer). This policy Is communicated to all QS users that are likely to interact with the QS information system, and Its application is mandatory.
5.2. Information Security and Privacy controls
The selected controls and their implementation status are listed in the Statement of Applicability.
6. QS Organization
Revisions to this document will be made annually, or whenever deemed necessary.
6.1. Senior Management
Strategic decisions and matters regarding the information security and privacy requirements for the information systems are managed by senior management. Our Senior management demonstrates leadership and commitment concerning information & privacy security by:
• Ensuring the information & privacy security policy and objectives are established and are compatible with the strategic direction of QS.
• Ensuring the integration of the information & privacy security management system requirements into the organization’s processes.
• Ensuring that the resources needed for the information & privacy security management system are available.
• Communicating the importance of effective information security management system &privacy security management system and of conforming to its requirements.
• Ensuring that the information & privacy security management system achieves its intended outcome(s)
• Directing and supporting persons to contribute to the effectiveness of the information & privacy security management system
• Promoting continual improvement and supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
6.2. Chief Information Security Officer (CISO)
Senior management appoints a CISO responsible for the information systems security and privacy. The CISO plans, coordinates, and monitors all activities related to Information security & privacy. The role of the CISO is as follows:
· Lead and coordinate the actions of the group of users associated with information system security and privacy.
· Assist and advise about risks, information security & privacy measures to be implemented during the development of new systems.
· Define and propose means of protection and actions required to achieve information security & privacy objectives.
· Ensure that solutions are adapted to the issues of security & privacy and comply with the requirements of the information & privacy security policy.
· Define and consolidate reporting to senior management (Management Review Meeting- MRM)
· Responsible for Information &Privacy Security Management System implementation
· Makes periodical review and updates on ISMS & PIMS process to ensure the efficiency and effectiveness of information & privacy security controls
· Communicating Regular updates on changes to legislation, internal ISMS and PIMS process or methods to employees
· Monitoring Information & Privacy Security Incidents and take appropriate actions
· Evaluating compliance with the company processes through regular Internal Audits
· Organization of information &privacy security trainings for all employees
· Organizing security & privacy awareness campaigns to enhance the security & privacy culture and develop abroad understanding of the ISMS and PIMS requirements
· Ensuring that internal audits are periodically conducted, and action items are taken to closure.
· Appropriate contacts with relevant authorities (regulatory, legal) must be maintained.
· Providing a vision to the organization from an information security & privacy standpoint.
6.3. Privacyofficer
Privacy officer shall Support the Data Protection Officer where required in providing and maintaining the necessary documentation as per ISO27701, to demonstrate compliance with the GDPR, and other applicable country specific privacy laws. Key responsibilities include:
· Informing and providing expert advice to all members of staff in his/her respective country of responsibility regarding their obligation to comply with the provisions of the GDPR and relevant country specific local laws and regulations when processing personal data.
· Monitoring compliance with the Data Protection Policy and any other internal documents relating to data protection in his/her respective country of responsibility and informing the Data Protection Officer of any non-compliance in a timely manner.
· Act as the main point of contact for employees in his/her respective country of responsibility and will cooperate with all members of staff on matters of data protection.
· Takes the necessary steps in his/her respective country of responsibility to execute and roll-out Data Breach Response and Notification Procedure which specifies the process and procedures for reporting personal data breaches and takes the necessary measures to inform the Data Protection Officer accordingly.
· Ensures that training and awareness is available and delivered to all members of staff involved in the processing of personal data in his/her respective country of responsibility.
The following responsibilities can be considered, in consultation Data Protection Officer, if they do not conflict with the key activities listed above:
· Review/develop procedures and other controls for the protection of personal data.
· Establish adequate controls to ensure and maintain the confidentiality, integrity, and availability of personal data.
· Contribute to the business continuity and disaster recovery planning process to ensure that personal data processing is considered.
· This role shall report to Data Protection Officer (DPO)
6.4. Line Managers
Managers are responsible for the administration and review of access and authorization of users to their services. With the assistance of CISO, assure that their teams are aware of information system guidelines and security & privacy policies.
6.5. Data Protection Officer
The Data Protection Officer assures that all necessary measures have been taken by the QS pertaining to legal, regulatory, and contractual issues. Regarding information system security and privacy, the mission of the DPO is to:
· Keep up to date with judicial standards and jurisprudences, in collaboration with the CISO to communicate and state internal obligations related to information system security & privacy
· Ensure compliance with legal, regulatory, and contractual provisions concerning information system security& privacy.
· In collaboration with the CISO, identify and maintain legal, regulatory, and contractual obligations.
· Document and update the procedures used to meet legal, regulatory, and contractual obligations.
· Ensure, in collaboration with personnel concerned, the integration of information security & privacy requirements in contracts with all service providers or external partners.
· Proceed with regular review of contracts.
· Establish legal references.
· Monitors compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
· Cooperates with the supervisory authority
· Contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, about any other matter
· The DPO plays a supporting role to the various entities. Therefore, the DPO may be consulted when or if further information is required.
· Ensures to have due regard to the risk associated with processing operations, considering the nature, scope, context, and purposes of processing.
7. Understanding the organisationand its context
An overview of QS products is addressed in the QS Business Summary.
QS has determined the external and internal issues that are relevant to its purpose & its strategic direction, and which act on its ability to achieve the intended outcomes of the ISMS & PIMS. QS monitors & reviews the information about these external and internal issues at least once in 6months or when there is a change.
8. Human Resource & Workplace
Human resource management shall apply the security & privacy rules during the processes of the arrival and departure of employees according to ISO 27001 Control “A.6 - Human resource management” and ISO 27701 “ 6.4. - People controls,” controls the disciplinary processes related to non-compliance with the QS practices and security & privacy measures.
8.1. Users
Users must comply with all security& privacy rules which are communicated to them and report, as quickly as possible, any security and privacy incidents, to their Line manager and CISO for further actions.
8.1.1. Human Resource Security:
To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Terms and conditions of employment: The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.
9. Communication
QS has determined the need for internal and external communications relevant to the information security management system and the privacy information management system. The referenced documented dresses the below points along with identifying the reporting lines for any escalation.
· what to communicate
· when to communicate
· with whom to communicate
· who shall communicate
· how communication would take place
10. Control of documented information
All ISMS & PIMS documents (policies, procedures, and guidelines) and records are created, maintained, and controlled in accordance with the defined processes and guidelines. Reviews and Approvals are taken as appropriate to all documents.
A document is also released to govern information lifecycle management and archive of information, with emphasis on “Business records,” both internal and external. This document encompasses Security and Privacy by design, Information Deletion, Data Masking, Data leakage prevention and Web sessions, in the information life cycle
11. Information security and privacy objective sand planning
QS has established information & privacy security objectives at relevant functions and levels in order to maintain and continually improve the ISMS & PIMS and its performance. The information & privacy security objectives are
· Are consistent with the information security and privacy policy.
· Are measurable.
· Consider applicable information security and privacy requirements, and results from risk assessment and risk treatment.
· are monitored.
· communicated
· are updated as appropriate.
While planning to achieve its information security and privacy objectives, the organization shall determine:
· what will be done
· what resources will be required
· who will be responsible
· when it will be completed and
· how the results will be evaluated
12. Operations
12.1. Change Management
We aim to prevent malfunctioning of the information system as part of the implementation of changes on platforms (application and system updates, changes in infrastructure, architecture) while maintaining the responsiveness of teams. Information security and privacy is an integral part of the entire project lifecycle. Risk Management process is invoked to support the change management process.
12.2. Risk management
12.2.1. Information security risk assessment
QS has defined and implemented an information security and privacy risk assessment process that:
· Establishes and maintains information & privacy security risk criteria
· Ensures that repeated information security & privacy risk assessments produce consistent, valid, and comparable results
· Identifies the information & privacy security risks
· Analyses the information & privacy security risks
· Evaluates the information & privacy security risks
· Identifies Mitigating actions that will be tracked in the risk register
12.2.2. Information Security Risk Treatment
QS also has defined and implemented an information security and privacy risk treatment process to:
· Select appropriate information & privacy security risk treatment options, taking account of the risk assessment results.
· Determine all controls that are necessary to implement the information & privacy security risk treatment option(s) chosen.
· Compare the controls determined in the point (b) with those in the Statement of Applicability and verify that no necessary controls have been omitted
· Produce a Statement of Applicability that contains the necessary controls (point b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls
· Formulate an information & privacy security risk treatment plan
· Obtain risk owners’ approval of the information & privacy security risk treatment plan and acceptance of the residual information & privacy security risks
12.3. Management of Technical vulnerabilities
As per a risk-based approach, technical vulnerabilities are evaluated and updated regularly to guard against attacks by correcting known vulnerabilities in systems and applications. Vulnerability Management comprises of planning, implementation and operation of Vulnerability Management, Patch Management, Threat Intelligence, Configuration Management, Monitoring Activities and Web
Filtering complying with adequate regulations. Periodic internal and third party (external) penetration testing is conducted to assess and analyse the risk of any new vulnerabilities.
The external penetration testing largely covers:
• Web Application Security Assessment
• Web Service Security Assessment
• Security Configuration Review
12.4. Antivirus Protection
QS safeguards its information system against viruses, malicious code attack, Cyber-attack protecting vulnerable systems from these threats, as well as information system input and output.
The QS staff systems are equipped with antivirus software; the software provider updates the antivirus databases periodically after reviewed with QS corporate IT. Configuration of the antivirus software is managed by the QS corporate IT support -helpdesk. Users cannot change the configuration or uninstall the antivirus.
12.5. Backups
In the event of incidents affecting the availability or integrity of assets, we ensure to protect against data loss. Safeguard mechanisms are in place for all systems and data including backups(Application configuration, Application source code, Application logs, Access logs, Database logs, configuration files, code, product databases supporting Client data). Business continuity plans are in place and regularly evaluated.
12.6. Monitoring and Logging
All critical functions and systems are monitored by Infrastructure support along with data traceability. The Visualizing tool used to manage log reports and are reviewed regularly.
All the systems and equipment are synchronized toa unique time source. Logs are analysed by the Infrastructure Head based on abnormality and the legal retention period of logs is consistent with the law. The log reports are stored in protected areas.
12.7. Disposal
All computer equipment containing business information is discarded using a secure erasure process. Paper documents containing sensitive and/ or confidential information are destructed using a Paper shredder as per our information & privacy security Policy. Procedures are established for secure disposal of information security assets. A data retention policy is established for normal working. In case of client data, applicable contractual and legal/regulatory requirements are ensured.
13. Compliance
13.1. Compliance to legal, regulatory, and contractual obligation
We respect legal, regulatory, contractual, requirements and adopt applicable standards.
The key drivers and mechanism include the following:
· Local legal and regulatory compliance requirements (E.g., for GDPR, these include related data processing agreements and standard contractual clauses as per European Council, & Commission decision C (2021) 3972 final dated 4.6.2021and related EDPB guidelines).
· Obligation sunder standard contracts or conditions of service offerings with suppliers/Sub Processors
· Obtaining and maintaining certifications recognised for information security management system ISO/IEC 27001, privacy information management system ISO/IEC 27701,Cyber risk, etc.
Compliance is ensured through:
· Up to date legal, contractual, and regulatory requirements and measures as per European Council, & Commission decision C (2021) 3972 final dated 4.6.2021and related EDPB guidelines.
· Observation of any developments in the legal, regulatory, contractual, and standards framework.
· Procedures and their implementation to satisfy legal, regulatory, contractual and standards, Communication channels in place concerning the developments of the framework.
· Monitoring mechanisms can include audit indicators, penetration testing, and vulnerability tests, updates to these tests, and scheduled or annual reviews.
· Action plan for identified non-conformities during audits.
Due to their impact or potential impact on QS’sability to consistently provide products & services that meet customer& applicable statutory & regulatory requirements, the QS has detailed applicable Legal, Regulatory and Contractual Requirements to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security & privacy requirements.
13.2. Security Practices
QS adopts the best information security & privacy practices by defining information & privacy security controls applicable to the entire information system of QS. Additional information & privacy security measures identified through risks analysis, legal, regulatory, and/or contractual concerns and/or specific standards will be addressed accordingly. Statement of applicability -is established for the applicable controls required for the context of various products that enable Software as a Service (SaaS) offering. Security & privacy controls and best practices are to be considered and implemented as appropriate to the risk level.
13.2.1. Information Classification Labelling Policy
To handle business information according to the identified security and privacy classification QS established Information classification &labelling policy to protect the QS data against unauthorized access, unauthorized change, unintentional breach and data loss. Further, employ a comprehensive security and privacy awareness.
13.2.2. Asset Management Process
QS established asset management process to effectively track, maintain, and utilized information and its associated assets to prevent loss, damage, theft or compromise.
13.2.3. Clean Desk & Clear Screen
QS has adopted a Clean Desk and Clear Screen Policy for all work stations including Laptops and Desktops. This will ensure that all sensitive and confidential information, whether on paper, or on a storage device or hardware device, is properly locked away or kept secure fromun authorised use or disposed when not in use.
13.2.4. Mobile devices & Mobile Communication Services
QS has established Mobile Devices & Mobile Communication Services Policy is to establish clear guidelines for the appropriate use, security, and management of mobile devices and communication services within QS.
13.2.5. Teleworking & Home OfficePolicy
QS has adopted Teleworking & Home Office policy is to establish clear guidelines and expectations for QS employees who work remotely, either full-time or part-time.
13.2.6. Policy on Social Media
QS Has established policy on social media to guide QS employees on responsible online behaviour, handle social media official platforms or channels to protect the QS’s reputation, ensure legal compliance, reduce risk sassociated with inappropriate or unauthorized posts
13.2.7. QS Supplier Security Policy (Managing_Outsourced_Services)
QS has established the rules for its vendors and partners. Considering that QS solutions entail the processing of protected data in what concerns personal data and data included in the data forms of the universities.
13.2.8. Information Security in Project Management
QS ensure to assess its information security risks related to QS business projects and deliverables in project management throughout the project life cycle.
13.2.9. Information & Privacy Security Incident Management
QS has established Information & Privacy Security Incident Management process to ensure effective and timely response to security and privacy incidents, including communication on information security and privacy events.
13.2.10. Business Continuity Management System
QS has established Business continuity policy to ensure the organization’s objectives can continue to be met during disruption and ensure the availability of information and other associated assets during disruption .
14. Dealing with Personal data
We have the important responsibility of protecting the personal and sensitive personal data of our clients or prospects by respecting their rights.
Below are the steps ensured at QSIP, QSSR &QSEM 1Mentor to protect personal data:
· ISO27001 and ISO 27701Controls adopted and implemented per the Statement of Applicability
· Applicability(refer to Annex B for PIMS-specific reference control objectives and controls(PII Processors))
· Technical and Organisational Measures as required by GDPR and as per European Council, & Commission decision C(2021) 3972 final dated 4.6.2021 (refer Annex A)
· Strong Firewall and Anti-virus: using multiple layers of security software thus making unauthorized access to client data more difficult
· Access control: Purpose based access provision as per a strong password policy, which ensures changing of passwords to key software systems and immediate access revocation in cases when an employee exit
· Processing information ethically: Being transparent about data collection and usage and adhering to information handling policies
· Regular compliance checks against applicable country specific regulations like GDPR
· Data management: Adding value by collecting and managing client data responsibly and strategically, as per contractual and legal/regulatory obligations
· Supplier management: Ensuring suppliers / sub processors fulfil information security and privacy (including protection of privacy as potentially affected by the processing of PII(Personally Identifiable Information)) through implementation of applicable controls, ensuring the customer value chain is compliant.
· Training and Education: Training stakeholders on ISMS, PIMS, GDPR and Cyber security to enhance the focus on how to manage personal data and maintain information confidentiality & privacy.
PIMS-specific reference control objectives and control (PII Processors) steps (refer Annex B) are ensured at QSSR, QSIP (MoveON &MoveIN), QSEM (1Mentor) through the Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC), to protect personal data in cases of cross border transfer.
15. Dealing with Intellectual Property
We respect Intellectual Property when using software subject to license. The licensed software concerning the information system used within QS are defined and maintained as part of our Information asset inventory.
The licensing agreements are maintained under the responsible license owner. Requests for installing license software are handled through proper approval workflow. Regular checks are carried out on the information system to ensure consistency between licensing agreements and current installations.
16. Compliance
QS respects legal, regulatory, contractual, requirements and adopt applicable standards. Compliance team owns the QS Information & Privacy security policy Internal audit and reports the same to CISO. Any person, who fails to comply with the QS Information & Privacy security policy and legal compliance requirements, shall be subject to appropriate QS disciplinary action.
17. Commitment for ISMS & PIMS implementation
As per the Management Commitment, ISMS and PIMS implementation and continual improvement will be supported with adequate resources to achieve all objectives set in this Policy, as well as satisfy all identified requirements.
18. Revisions
Revisions to this document will be made annually or when ever deemed necessary.
19. Annex A: Measures based on suggestions from Commission Implementing Decision (EU)2021/914 dated 4.6.2021.