Get In Touch
success@brcg.co
Back

Information Security Policy

Effective Date: January 1, 2025

Last Updated: January 1, 2025

1. Purpose

This Information Security Policy defines BRCG’s commitment to protecting the confidentiality, integrity, and availability of client systems and data accessed in the course of providing services.

2. Scope

This Policy applies to all employees, contractors, and vendors who have access to BRCG-managed systems or client-provided platforms and data.

3. Information Security Governance

  • Security Leadership: BRCG appoints an internal Data Security Lead responsible for coordinating security compliance efforts and incident response.
  • Policy Review: This policy is reviewed at least annually, or upon material changes to business practices, systems, or regulatory requirements.

4. Access Controls

  • Access to systems and client environments is granted based on the principle of least privilege and on a need-to-know basis.
  • All access permissions are reviewed at least quarterly and immediately revoked upon employee or contractor termination.
  • Password policies require the use of strong, unique passwords, and multi-factor authentication (MFA) is required where supported.
  • Authentication credentials must not be shared under any circumstances.

5. Data Handling and Protection

  • Personally Identifiable Information (PII) must be processed only within client-owned and authorized systems.
  • Local storage of PII on BRCG-owned devices is strictly prohibited unless expressly authorized in writing by the client.
  • All PII and sensitive data must be encrypted in transit and, when stored, at rest using industry-standard encryption protocols (e.g., TLS 1.2+, AES-256).

6. Device Management

  • All devices used to access client systems must have:
    • Full disk encryption
    • Up-to-date antivirus and antimalware protection
    • Regularly applied security patches and software updates
  • Mobile devices used to access client systems must be protected by PINs, biometric authentication, and mobile device management (MDM) controls where feasible.
  • Lost or stolen devices must be reported immediately and remote wipe functionality must be enabled where possible.

7. Logging and Monitoring

  • User activity on client systems may be logged where technically feasible and reviewed to detect unauthorized or suspicious activity.
  • BRCG maintains internal records of access approvals, access removals, and security incidents.

8. Incident Response

  • Any actual or suspected security incident, data breach, or unauthorized disclosure must be reported internally within 24 hours.
  • Incidents will be investigated, documented, and escalated to affected clients with recommendations for remediation.
  • BRCG will cooperate fully with client-led investigations and reporting obligations.

9. Business Continuity and Disaster Recovery

  • BRCG maintains documented contingency procedures to minimize service disruption in the event of system failures, natural disasters, or cyberattacks.
  • Regular backups of operational information and configuration settings are maintained to support recovery objectives.

10. Training and Awareness

  • All employees, contractors, and vendors undergo:
    • Security awareness training at the time of onboarding
    • Mandatory annual refresher training thereafter
  • All personnel must sign NDAs and Confidentiality Agreements before gaining access to client systems or data.

11. Vendor and Contractor Management

  • Contractors and third-party vendors must meet the same security requirements as BRCG employees.
  • Vendor security practices are evaluated as part of the onboarding process and reviewed periodically thereafter.