Security

How we work

Information Security Policy

This Information Security Policy establishes how we protect client data and systems while delivering technology consulting services. This policy applies to all team members, contractors, and subcontractors who handle client information or access client systems.

Our Security Commitment

We are committed to protecting the confidentiality, integrity, and availability of client data and systems. Information security is fundamental to maintaining client trust and delivering quality consulting services.

Leadership and Responsibility

Security Officer: Nathan Clark is responsible for information security oversight and policy implementation.

Management: Leadership is committed to providing resources for security measures and ensuring team compliance.

Everyone: All team members are responsible for following security practices in their daily work.

Core Security Requirements

Access Control

  • Use unique user accounts for all systems (no shared accounts)
  • Use strong passwords and store them in BNB's password vendor platform
  • Multi-factor authentication (MFA) whenever possible and required for all critical systems and client access
  • Grant access only when needed for specific projects
  • Remove access immediately when projects end or team members leave
  • Leverage GitHub organization single sign on (SSO) whenever possible

Client Data Protection

  • Client data stays separate - never mix data from different clients
  • Encrypt all client data in transit (SFTP, TLS, VPN)
  • Encrypt client data on laptops and portable devices
  • Use secure file sharing (no email attachments for sensitive data)
  • Delete client data when projects end, as agreed with client
  • Use one time secret tools when emailing sensitive data

Device and Endpoint Security

  • Keep all devices updated with latest patches
  • Use antivirus/anti-malware on all computers
  • Enable automatic screen locks (15 minutes max)
  • Encrypt laptop hard drives
  • Use company-approved cloud storage only

Network Security

  • When available, use VPN for client system access
  • When possible, use wired internet connections
  • Secure home and office WiFi (WPA3, strong passwords)

Consulting Project Security

  • Project README's outline which client systems we access
  • Get client approval before connecting to their networks
  • Follow client security policies when working on-site or remotely
  • Use secure development practices for any code we write
  • Regular backups of project work (encrypted and secure) through BNB's backup vendor

Team Security Practices

Training and Awareness

  • Annual security training for all team members
  • Project-specific security briefings when needed
  • Regular security updates and reminders

Incident Response

If you discover a security incident: 1. Immediately notify the Security Officer 2. Document what happened 3. Preserve evidence (don't "fix" things first) 4. Notify affected clients within 24 hours 5. Take steps to prevent further damage

Physical Security

  • Secure workspaces
  • Don't leave devices unattended in public
  • Secure disposal of papers and drives with client data

Working with Subcontractors

  • Subcontractors must agree to follow the same security practices
  • Provide security requirements before project start
  • Monitor subcontractor access to client systems
  • Include security requirements in all subcontractor agreements

Regulations

  • GDPR compliance for EU client data
  • Industry-specific regulations as required by clients
  • Data retention according to client agreements and legal requirements

Client Requirements

  • When needed, meet project-specific security standards
  • Provide security documentation when requested
  • Allow client security audits when contractually required
  • Maintain relevant security certifications if needed

Business Continuity

Backup and Recovery

  • Regular backups of all project data
  • Alternative workspace arrangements for emergencies
  • Communication plan for clients during disruptions

Key Dependencies

  • Document critical systems and access requirements
  • Maintain relationships with key technology vendors
  • Cross-training on essential client systems

Monitoring and Improvement

Regular Activities

  • Annual security check-ins with team
  • Annual review of access permissions
  • Annual policy review and updates
  • Track security incidents and lessons learned

Continuous Improvement

  • Update practices based on new threats and client needs
  • Incorporate feedback from security incidents
  • Stay current with industry security practices

Policy Management

Review Schedule: This policy is reviewed annually or when significant changes occur.

Updates: All team members will be notified of policy changes and receive updated training.

Questions: Contact the Security Officer for clarification on any security requirements.

Document Control

  • Version: 1.0
  • Effective Date: September 2, 2025
  • Security Officer: Nathan Clark
  • Next Review: September 1, 2026
Next