QS.com

Information Security and Privacy Policy

1. HISTORY OF VERSIONS	1
2. REFERENCE	1
3. INTRODUCTION	3
4. SCOPE	4
5. PURPOSE	4
6. REVISIONS	4
7. INFORMATION & PRIVACY SECURITY POLICY	5
7.1. POLICIES REVIEW	5
7.2. APPROVAL	5
7.3. INFORMATION SECURITY AND PRIVACY CONTROLS	6
8. QS ORGANIZATION	6
8.1. SENIOR MANAGEMENT	6
8.2. CHIEF INFORMATION SECURITY OFFICER (CISO)	6
8.3. PRIVACY OFFICER	7
8.4. LINE MANAGERS	8
8.5. DATA PROTECTION OFFICER	8
8.6. HUMAN RESOURCE & WORKPLACE	9
8.7. USERS	9
8.8. POLICY COMMUNICATION	9
9. OPERATIONS	9
9.1. CHANGE MANAGEMENT	9
9.2. MANAGEMENT OF TECHNICAL VULNERABILITIES	9
9.3. ANTIVIRUS PROTECTION	10
9.4. BACKUPS	10
9.5. MONITORING AND LOGGING	10
9.6. DISPOSAL	10
10. COMPLIANCE	11
10.1. COMPLIANCE TO LEGAL, REGULATORY, AND CONTRACTUAL OBLIGATION	11
10.2. SECURITY PRACTICES	11
10.3. DEALING WITH PERSONAL DATA	12
11. DEALING WITH INTELLECTUAL PROPERTY	12
12. COMPLIANCE	13
13. SUPPORT FOR ISMS AND PIMS IMPLEMENTATION	13
14. ANNEX A: MEASURES BASED ON SUGGESTIONS FROM COMMISSION IMPLEMENTING DECISION (EU) 2021/914 DATED 4.6.2021	13
15. ANNEX B: QS PIMS-SPECIFIC REFERENCE CONTROL OBJECTIVES AND CONTROLS (PII PROCESSORS)	1

1. History of Versions

Date	Version	Author	Approved By	Comments
23/01/2019	1.0	Koljonen, Christina	-	First Release
31/03/2020	2.0	Senthil Kumar C R	-	I. Accommodated in the QS standard template II. Updated sections: a. Introduction b. Management of Technical vulnerabilities III. Added Revision section
06.11.2020	3.0	Senthil Kumar C R	-	Formatting of the document and inclusion of GDPR in Section 9.1
27.05.2021	4.0	Senthil Kumar C R	-	Updates for External Certification Audit 2021
31.08.2021	5.0	Deepali Saxena	Senthil Kumar C R	QS Rebranding template updated (logo, font etc)
29.03.2022	5.1	Senthil Kumar C R	-	Mapped to GDPR (EU 2016/679) and European Council & Commission decision C (2021) 3972 final dated 4.6.2021, included EDPB measures
05.01.2023	6.0	Senthil Kumar C R	-	Updates for inclusion of PIMS
06.12.2024	6.1	Deepali Saxena	Senthil Kumar C R	Updated as a QS common document

2. Reference

ISO 27001:2022
ISO 27701
GDPR/BDSG
5.2
5.3.2
GDPR Chapter IV and Chapter V

‍

3. Introduction

This document outlines the information & privacy security policies put in place by senior management of QS Quacquarelli Symonds (QS). QS offers unrivalled data, expertise, and solutions for the global higher education sector. Key services include Institutional Performance (QSIP MoveIN & MoveON), University Branded Services (QSUBS) and Employability Management (QSEM 1Mentor). These services are enabled by technology solutions and software that are cloud based. The QS ISMS and PIMS Policy below is supported by various subordinate policies, procedures, guidelines, templates, and checklists.

This policy and supporting policies, as part of the IPSMS, are to be adhered to by all entities included in the QS scope.

The confidentiality, integrity, availability, and privacy of information, in all its forms, are critical to the ongoing functioning and good governance of QS. Failure to secure information increases the risk of financial and reputational losses from which it may be difficult for QS to recover. This information & privacy security policy outlines the QS approach to information & privacy security management.

QS ISMS & PIMS Policy

We, at QS, continually strive to enhance the competitiveness of our customers with a range of value-added products and provide world-class support to institutions at large by adopting a process approach to excellence.

This shall be enabled by implementing an Information & Privacy Security Management System (IPSMS), with the involvement of relevant stakeholders for:

Ensuring enhanced customer experience & meeting applicable requirements.
Proactively protecting & ensuring security & privacy of PII (Personally Identifiable Information) data and information assets.
Fulfilling compliance obligations to applicable country-specific privacy laws and regulations.
Ensuring information security & privacy through design, risk management, change management & applicable controls.
Cascading information security and privacy requirements to suppliers, thereby ensuring the customer value chain is compliant.
Continually improving the information management system and processes.

This policy and supporting policies, are part of the IPSMS, are to be adhered to by all entities included in the QS scope.

The confidentiality, integrity, availability, and privacy of information, in all its forms, are critical to theongoing functioning and good governance of QS. Failure to secure information increases the risk offinancial and reputational losses from which it may be difficult for QS to recover. This information &privacy security policy outlines the QS approach to information & privacy security management .

It provides the guiding principles and responsibilities necessary to safeguard the security & privacy of the QS information systems. Supporting policies, codes of practice, procedures, and guidelines as documented in QS’ Information & Privacy Security Management System (ISMS & PIMS), provide further details.

QS is committed to a robust implementation of Information & Privacy Security Management. It aims to ensure the appropriate confidentiality, integrity, availability of data and protection of privacy as potentially affected by the processing of PII (Personally Identifiable Information). The principles defined in this policy will be applied to all the physical and electronic information assets for which QS is responsible. QS is specifically committed to protection of privacy while processing PII, preserving the confidentiality, integrity, and availability of documentation and data supplied by, generated by, and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of ISO 27001 & ISO 27701 and applicable country-specific legal/regulatory compliance requirements, specifically GDPR (EU 2016/679).

4. Scope

This document is applicable to all locations whereInstitutional Performance (QSIP MoveON & MoveIN), University BrandedServices (QSUBS) and Employability Management (QSEM 1Mentor) services areprovided. It is applicable to QS staff – part-time, full-time and contractors(referred as “Employees”). It also applies to information received fromexternal service providers and/or guests (hereinafter referred to as “Externalparties”), to whom non-disclosed information is communicated or made availableby QS. This document will be revised annually or when major changes occur.

5. Purpose

The purpose of this policy is to protect the QS informationassets from all threats, whether internal or external, deliberate, oraccidental.

The structural elements of this policy:

· Policy context and the objectives defined bysenior management.

· System governance and organization forinformation & privacy security of QS.

· Developed principles and security & privacyrules conform to the best practices of information & privacy security andare applicable within the entire QS.

6. Revisions

Revisions to this document will be made annually, orwhenever deemed necessary.

‍