Data and Information Security Policy >
Data and Information Security Policy >
The Customers of PRAGMA may want to share very sensitive data and information (“The Data”), from time to time. This data should be treated with a very high care, regardless of explicit mention of confidentiality. All PRAGMA employees must abide to this Policy, in direct relationship to their employment contract and confidentiality agreement. All PRAGMA collaborators (suppliers, subcontractors, consultants, etc.) that would eventually be in contact with the said Data must also abide to this Policy, in direct relationship to their involvement contract and confidentiality agreement.
This Policy is a strict code of conduct established by PRAGMA management (“The Management”). A contravention to this code may be grounds for termination of employment or contract, without notice, and with possible legal action.
Normally, most Customers will request to sign an NDA before exchanging information. Before receiving the Data, it’s important to ask if there’s a signed NDA between the Customer and PRAGMA.
Regardless of a signed NDA, PRAGMA email signatures commit to basic confidentiality of information.
3. Need-to-Know Basis
Before a Customer is about to share the Data, it’s important to ask if there’s a “need to know” in the first place. If possible, it’s preferable to avoid to receive the Data. If possible, it’s preferable to use alternate solutions.
4. Criticality of Disclosure
If the Customer really needs to send the Data, then it’s important to ask prior the degree of criticality. PRAGMA establishes the following degrees of criticality:
|Degree of Criticality||Description|
|RESTRICTED||Data can be shared with the email or link recipient, but shall not be propagated inside PRAGMA on file server or otherwise.|
|INTERNAL||Data can be shared internally at PRAGMA, on a need-to-know basis, under NDA and with precautions to use adequate sharing media.|
|LIMITED||Data can be shared internally at PRAGMA and with the relevant subcontractors and suppliers, on a need-to-know basis, under NDA and with precautions to use adequate sharing media.|
5. Workstation & Sharing
All PRAGMA employees and collaborators must make sure that their computers, operating systems and installed applications are configured such that no breach of security can happen. Screen sharing and remote-control technologies (ex: Teams, Zoom, Skype, TeamViewer, etc.) are tolerated for productivity reasons, but employees should limit the visual disclosure of the Data according to the Degree of Criticality.
6. Portable Media
Customer Data should not stay on portable media (ex: USB sticks, external SSD drives) for a long period of time. After the need for portability, the data should be stored adequately on the file server of the company, depending on the Degree of Criticality.
If the Degree of Criticality allows it, Customer Data can be archived on PRAGMA’s cloud system (Microsoft Sharepoint, OneDrive, Teams).
8. Software Code
The software developed by PRAGMA and the third-party libraries it uses must not contain security breaches such as backdoors, “Easter Eggs”, malware or any other means of diverting Customer Data to an undeclared, unauthorized target destination or media. PRAGMA software products that are meant to run on Windows PC must not take benefit of any known weaknesses of Windows’ operating system to implement or allow the security breaches described above. PRAGMA software products running on embedded CPU must not record Customer Data inside the embedded memory (Flash, EEPROM, etc.).
9. Disclosure of Incidents
If a human error caused a possible breach of security in contravention with this Policy, the Management of PRAGMA should be made aware. The latter will assess the possible breach and if confirmed, will inform the Customer of the incident and the actions that were taken.
10. Destruction of Data
Whenever a Customer is requesting the destruction of the Data, the Administration must be informed. Within 5 days, the Management should confirm the scope of destruction and reconfirm the Customer desire. Within 2 days of a Customer reconfirmation, the Data must be completely deleted from all media (server, USB sticks, cloud, etc.). An email confirmation must be provided afterwards to the Customer, with conform copy to the Management.
11. Right for Audit
The Customer can request an audit on the respect of this Policy to their Data, if the Customer bears the related costs. Such audit can include the review of documentation, emails, media content, hacking tests (aka. Intrusive Testing), and more. The scope of audit, the dates, the individuals, the modus operandi and the costs would have to be agreed beforehand, with adequate notice to PRAGMA.
12. Policy Review
This Policy must be reviewed every year, in January.