ConnexCS Data Security Policy


1. Purpose and Scope

This Data Security Policy outlines the measures ConnexCS takes to protect the confidentiality, integrity, and availability of the data entrusted to us by our wholesale VoIP carrier and enterprise clients.

This policy applies to all employees, contractors, and any third-party vendors who access or handle ConnexCS data, including:

  • Customer Personally Identifiable Information (PII)
  • Customer's customer information and PII data
  • Call Detail Records (CDRs)
  • Access to monitor and potentially listen to active calls (for troubleshooting purposes only)
  • Customer call recordings
  • Access to monitor and potentially listen to active calls (for troubleshooting purposes only and with permission from the customer)

2. Data Classification

ConnexCS classifies data based on its sensitivity level:

  • Public: Information readily available to the public (e.g., company website content).
  • Confidential: Data requiring protection due to its sensitive nature (e.g., customer contact information, non-public company information).
  • Highly Confidential: Highly sensitive data requiring the strictest security controls (e.g., credit card information, call recordings).

More stringent access controls, encryption standards, and handling procedures will be applied to data with higher classifications.

3. Access Controls

ConnexCS adheres to the principle of least privilege, granting access to data only to employees who require it for their job duties.

Access is granted through a role-based access control system (RBAC) with multi-factor authentication (MFA) for all accounts.

Password Management

  • Strong passwords are required (minimum length, complexity requirements, regular changes).
  • Password sharing is strictly prohibited.
  • Password managers are encouraged.

4. Acceptable Use

ConnexCS employees are entrusted with protecting sensitive data.

Here are some guidelines:

  • Company Devices and Networks: Only use company-approved devices and networks for work purposes. Downloading unauthorized software, using personal email for business purposes, or accessing inappropriate websites is prohibited.
  • Data Sharing: Do not share sensitive information without authorization. Be cautious when using email and avoid unencrypted public Wi-Fi.
  • Active Call Monitoring: Access to monitor active calls is for troubleshooting purposes only and requires explicit authorization.
  • Call Recordings: Access to call recordings is strictly limited and requires a legitimate business need.

5. Email and Communication Security

Training: Employees will be trained on:

  1. Identifying phishing emails (looking for suspicious sender addresses, urgency tactics, grammatical errors, and requests for personal information).
  2. Recognizing social engineering attacks (being wary of unsolicited calls or emails requesting sensitive information or urging immediate action).
  3. Secure email practices (avoiding sending sensitive data via unencrypted email and using BCC for large recipient lists).
  4. Technical Safeguards:
    1. Implement a spam filter to block suspicious emails.
    2. Utilize email encryption for transmitting highly confidential data. This can involve solutions like S/MIME or PGP encryption.
    3. Explore solutions to prevent data leakage through email, such as Data Loss Prevention (DLP) tools that scan outgoing emails for sensitive information.

Reporting: A clear procedure will be established for reporting suspicious emails to the IT security team. This may involve a dedicated reporting mailbox or a ticketing system.

6. Data Backup and Recovery

ConnexCS maintains regular backups of critical data using secure, geographically dispersed storage solutions. A comprehensive disaster recovery plan ensures timely data restoration in the event of incidents.

7. Incident Reporting

ConnexCS prioritizes a swift and effective response to all suspected data breaches or security incidents. This policy outlines the procedures for internal reporting and escalation to ensure a timely and coordinated response.

Reporting Procedure:

Multiple Reporting Channels: We provide various reporting options for employee convenience, including:

  1. Online Incident Reporting Form: A dedicated online form (link provided internally) allows for easy and detailed reporting.
  2. Security Hotline: Call the ConnexCS Security Hotline at [phone number] for immediate assistance.
  3. Security Team Email: Submit reports directly to the security team at [email address].
  4. Anonymous Reporting: We encourage anonymous reporting to create a safe space for employees to disclose potential incidents freely.
  5. Timely Reporting: To facilitate a swift investigation and response, please report suspected incidents within 24 hours of discovery.

Escalation Process:

  1. IT Security Team Triage: All reported incidents are initially reviewed by the IT security team. They will assess the severity, scope, and potential impact of the incident.
  2. Escalation Based on Severity: Depending on the incident's classification, the IT security team may escalate it to the following:
    1. Management: Incidents with a broader business impact or requiring leadership decisions will be escalated to relevant management teams.
    2. Legal Department: In cases of potential legal ramifications or regulatory breaches, the legal department will be involved.
  3. Communication and Collaboration: The IT security team will maintain clear communication with involved departments throughout the investigation and remediation process.

Benefits of Timely Reporting:

  1. Prompt reporting allows for quicker mitigation and containment efforts, minimizing potential damage.
  2. Early identification facilitates a more efficient investigation and helps determine the root cause.
  3. Proactive reporting enables ConnexCS to fulfill its obligations to notify affected individuals and regulatory bodies, if necessary.

By following these procedures, ConnexCS fosters a culture of data security awareness and empowers employees to be part of the solution. We appreciate your cooperation in safeguarding our valuable data and maintaining client trust.

8. Security Awareness and Training

ConnexCS provides regular security awareness training to all employees to educate them on cybersecurity best practices and this Data Security Policy. Training will cover topics such as:

  • Phishing awareness
  • Password security
  • Data handling procedures
  • Recognizing and reporting security incidents

9. Monitoring and Auditing

ConnexCS continuously monitors and audits its systems and data access to identify and address potential security risks. This includes:

  • System activity logs
  • User access controls
  • Vulnerability management procedures

10. Policy Review and Updates

This Data Security Policy will be reviewed annually (or more frequently if necessary) to reflect changes in technology, regulations, and threats.

Enhancing and Promoting Safe Data Security Practices

ConnexCS is committed to fostering a culture of data security. Here are some additional pointers:

  • Employee Background Checks: Consider background checks for employees with access to highly confidential data.
  • Clean Desk Policy: Implement a clean desk policy to minimize the risk of unauthorized access to sensitive information on physical documents.
  • Data Minimization: Collect and store only the data necessary for business purposes.
  • Encryption: Implement data encryption at rest and in transit for all data classifications.
  • Third-Party Vendor Management: Perform due diligence on third-party vendors and ensure they have robust data security practices in place.
  • Penetration Testing: Conduct regular penetration testing to identify and address vulnerabilities in systems and applications.
  • Incident Response Plan: Develop a comprehensive incident response plan to effectively address and mitigate data breaches.

By implementing these comprehensive security measures and promoting a culture of data security awareness, ConnexCS can ensure the continued protection of our clients' valuable data.