Security Management Policy

LightCastle Editorial Wing
May 13, 2024

1.1 Purpose and Scope

The purpose of this Security Management Policy is to establish guidelines and procedures to ensure the confidentiality, integrity, and availability of information assets at LightCastle Partners Limited. This policy applies to all employees, contractors, and third-party entities with access to LightCastle’s information systems.

1.2 Information Security Objectives

  1. Protect the confidentiality of sensitive information
  2. Ensure the integrity of data and information
  3. Guarantee the availability of information systems
  4. Comply with legal and regulatory requirements
  5. Safeguard the reputation and trust of LightCastle Partners Limited
  6. Minimize the risk of security breaches and incidents

1.3 Information We Collect and How We Use

  1. Primary Data Collection: Our company gathers data directly from the field, varying sample sizes based on project and market research requirements. Depending on the need, we may collect confidential personal and business operational information, such as names, addresses, phone numbers, NID, pictures, business models, profits, sales, loan details, contracts, and financial data. We always obtain verbal consent before collecting such confidential information.
  1. Email Communications: If anybody sends us an email with questions or comments, we may use their personally identifiable information to respond to their questions or comments, and we may save their questions or comments for future reference. For security reasons, we do not recommend to send non-public personal information, such as passwords, social security numbers, or bank account information, to us by email. However, aside from our reply to such an email, it is not our standard practice to send anybody an email unless they ask particular questions, request project support, or apply for our vacancies, In certain instances, we may provide with the option to set their preferences for receiving email communications from us; that is, agree to some communications but not others.
  1. Transfer of Assets: As we continue to develop our business, we may sell or purchase assets. If another entity acquires us or all (or substantially all) of our assets, the personally identifiable information and non-personal information we have about you will be transferred to and used by this acquiring entity. Also, if any bankruptcy or reorganization proceeding is brought by or against us, all such information may be considered an asset of ours and as such may be sold or transferred to third parties.
  1. Other: Notwithstanding anything herein to the contrary, we reserve the right to disclose any personally identifiable information or non-personal information about you if we are required to do so by law, concerning copyright or other intellectual property infringement claims, or if we believe that such action is necessary to: (a) fulfill a government request; (b) conform with the requirements of the law or legal process; (c) protect or defend our legal rights or property, our Website, or other users; or (d) in an emergency to protect the health and safety of our Website’s users or the general public.

1.4 Actions We Take While Collecting Personal Data

Taking consent: Before collecting any personal or confidential information, obtaining written consent from the data provider is imperative. A commitment is made to refrain from sharing or selling the collected data to any third party for personal gain. In instances where collaboration with a third party is necessary, explicit consent is sought. This entails informing the data provider about the specific organization with which the information is intended to be shared and obtaining acknowledgment that the data provider bears no obligations to the said third party.

Provide clear consent wording: We as an organization are obligated to use clear, non-legalese language that allows the person to provide unambiguous consent. Mostly, our company gathers primary data from the field. Ensuring the security of this information is our responsibility, and it’s crucial to communicate these details clearly using simple language.

Caution: We have implemented security management measures we consider reasonable and appropriate to protect against the loss, misuse, and alteration of the information under our control. Please be advised, however, that while we strive to protect your personally identifiable information and privacy, we cannot guarantee or warrant the security of any information you disclose or transmit to us online and are not responsible for the theft, destruction, or inadvertent disclosure of your personally identifiable information.

1.5 Security Management Policy

  1. Access Control: User access rights will be granted based on the principle of least privilege. Access to sensitive information will be restricted and monitored. User account management will follow strict procedures, including timely deactivation of accounts this Security Management Policy will be reviewed annually or as needed to ensure its relevance and effectiveness. All employees are responsible for adhering to the policies and reporting any security concerns promptly.
  1. Physical Security: Physical access to data centers, server rooms, and other critical infrastructure will be restricted and monitored. Surveillance cameras and access control systems will be deployed in sensitive areas.
  1. Security Awareness Training: All employees will receive regular training on security best practices, policies, and procedures to ensure a high level of security awareness. The effectiveness of the security training and awareness program will be periodically evaluated through assessments and feedback from employees.
  1. Compliance: LightCastle Partners Limited will comply with relevant legal and regulatory requirements related to information security. Regular audits and assessments will be conducted to ensure compliance.
  1. Enforcement: Violations of this Security Management Policy may result in disciplinary action, including but not limited to reprimands, suspension, termination, and legal action, as deemed appropriate.
  1. Policy Distribution: This policy will be distributed to all employees and contractors and will be made available on the company’s intranet.
  1. Third-Party Security: Third-party which include photographers, banks, legal teams, PR consultants, and any other required partners or freelancers based on projects with access to LightCastle’s systems will be required to adhere to security standards and undergo periodic security assessments. Contracts with third parties will include security clauses and requirements.
  1. Security Incident Reporting: All employees are required to report any suspected or confirmed security incidents promptly to the IT or Security team. An incident response team will be designated and trained to handle security incidents effectively.
  1. Data Backup and Recovery: Regular backups of critical data will be performed, and the integrity and effectiveness of backups will be tested periodically. The impact of changes on security will be assessed, and necessary security measures will be implemented.
  1. Social Engineering Awareness: Employees will receive training on recognizing and preventing social engineering attacks, such as phishing and pretexting. Simulated phishing exercises may be conducted periodically to assess and improve employee awareness.
  1. Emerging Threats and Technology Monitoring: The IT and Security team will stay informed about emerging threats and technological advancements to proactively address new security challenges. Security Management controls will be updated to mitigate risks associated with evolving threats. Regular monthly quality check is required 
  1. Privacy Protection and Confidentiality: LightCastle is bound to maintain the confidentiality, integrity, and availability of information, with a focus on the specific nuances of the Bangladeshi landscape. We are committed to protecting the privacy of individuals and will comply with applicable data protection laws and regulations. Privacy impact assessments will be conducted for new projects involving personal information.
  1. Collaboration with Law Enforcement: In the event of a security incident, LightCastle Partners Limited will collaborate with law enforcement agencies as necessary to investigate and resolve the incident.
  1. Cloud Security: Security measures will be implemented to protect data stored in cloud environments, including the use of encryption, access controls, and regular security assessments.
  1. Environmental Controls: Measures will be implemented to safeguard information systems and data against environmental threats such as fire, flood, and other natural disasters.
  1. Safety Security: In the event of political turmoil or extraordinary circumstances such as strikes, blockades, rallies, etc., individuals are permitted to work remotely. In the event of any issues arising in the field or requiring damage control, decisions will be made by senior management on a case-by-case basis.
  1. Employee Exit Procedures: Upon an employee’s departure from the company, a thorough exit procedure will be implemented. This includes the revocation of access rights, retrieval of company property such as documents, company email, business cards, ID cards, company data, and the verification of the return of any sensitive information. Essential data or information may be securely archived and transferred to the senior management account, following which the associated email address account will be deactivated.
  1. Data Protection and Privacy: LightCastle Partners Limited recognizes the importance of protecting personal information and will comply with the provisions of the Bangladesh Data Protection Act. Any processing of personal data will be conducted in accordance with the principles and requirements outlined in the applicable data protection laws of Bangladesh. The disclosure of personal data for any purposes other than work-related activities is strictly prohibited. Personal/ official data is to be utilized solely for work-related purposes.
  1. Reporting of Security Incidents to Authorities: In the event of a security incident that involves a breach of personal information, LightCastle Partners Limited will adhere to reporting requirements stipulated to relevant authorities.
  1. Cross-Border Data Transfer Compliance: This will be conducted by the regulations set forth by the Bangladesh Data Protection Act, ensuring that data subjects’ rights are protected during international data transfers.
  1. Client Rights Protection: LightCastle Partners Limited will respect and protect the rights of clients/ stakeholders, particularly concerning the security and privacy of consumer data.

1.6 LightCastle Data Breach Plan

It requires us to report data breaches no later than 72 hours after we become aware of the breach. We are proactive and have designed a data breach action plan as a precaution.

The following are our planned best practices for responding to a data breach.

  1. Communicate internally to all employees and provide guidelines to all stakeholders-facing employees on how to respond to and assist clients.
  2. A social media response plan ensures a designated person is available to respond to social media posts.
  3. Publish as much information as possible, as quickly as possible, about the breach on the company website or direct stakeholders to a microsite designed to dispense information about the breach.
  4. Notify affected parties. Send an appropriate form of communication, whether through email, paper mail, or a phone call, notifying affected parties about the breach.
  5. Communicate to affected parties and media that the business is taking all measures to mitigate the damage of the breach.
  6. Inform affected parties and media that they should report any suspicious activity with regard to the use of their data to the business and the proper authorities (if applicable).
  7. Engage the clients, public and private sectors, or external communications to issue a press release and/or hold news conferences to inform the public about the breach. Be as transparent as possible.
  8. Provide clear instructions about how to file complaints, get assistance, or reach the customer service department
  9. Assist customers who are suffering negative consequences resulting from the breach.
  10. Update affected parties and media about how the company will prevent future breaches.
  11. Coordinate with internal stakeholders to ensure compliance going forward.

1.7 Public Forums

We may offer chat rooms, blogs, message boards, bulletin boards, or similar public forums where you and other users of our Websites can communicate. The protections described in this Privacy Policy do not apply when you provide information (including personal information) in connection with your use of these public forums. We may use personally identifiable information and non-personal information about you to identify you with a posting in a public forum. Any information you share in a public forum is public information and may be seen or collected by anyone, including third parties that do not adhere to our Privacy Policy. We are not responsible for events arising from the distribution of any information you choose to publicly post or share through our Websites.

1.8 Other Sites

Our Website may link to or contain links to other third-party websites that we do not control or maintain, such as in connection with purchasing catering services or other services or products referenced on our Website. We are not responsible for the privacy practices employed by any third-party website. We encourage you to note when you leave our Website and to read the privacy statements of all third-party websites before submitting any personally identifiable information.

Want to collaborate with us?

Our experts can help you solve your unique challenges